Windows Analysis Report
12ss323fcw8gsd4bvd.exe

Source: classification engine

Classification label: mal60.evad.winEXE@8/6@1/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03

Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe

File created: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\

Source: 12ss323fcw8gsd4bvd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 12ss323fcw8gsd4bvd.exe, 00000003.00000002.2521955465.00007FF7AC1C7000.00000002.00000001.01000000.00000004.sdmp, 12ss323fcw8gsd4bvd.exe, 00000003.00000000.1274101733.00007FF7AC1C7000.00000002.00000001.01000000.00000004.sdmp, 12ss323fcw8gsd4bvd.exe, 00000003.00000002.2520774301.00000257C9F64000.00000004.00000020.00020000.00000000.sdmp, VTP1Ibi1ak.exe, 00000009.00000000.1281079166.00007FF69A976000.00000002.00000001.01000000.00000005.sdmp, VTP1Ibi1ak.exe, 00000009.00000002.2521051633.000002681CCF3000.00000004.00000020.00020000.00000000.sdmp, VTP1Ibi1ak.exe, 00000009.00000002.2522005948.00007FF69A976000.00000002.00000001.01000000.00000005.sdmp, VTP1Ibi1ak.exe, 0000000A.00000002.1310837494.00007FF69A976000.00000002.00000001.01000000.00000005.sdmp, VTP1Ibi1ak.exe, 0000000A.00000002.1309240478.0000024234A8B000.00000004.00000020.00020000.00000000.sdmp, VTP1Ibi1ak.exe, 0000000A.00000000.1304908077.00007FF69A976000.00000002.00000001.01000000.00000005.sdmp, VTP1Ibi1ak.exe.3.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 12ss323fcw8gsd4bvd.exe, 00000003.00000002.2521955465.00007FF7AC1C7000.00000002.00000001.01000000.00000004.sdmp, 12ss323fcw8gsd4bvd.exe, 00000003.00000000.1274101733.00007FF7AC1C7000.00000002.00000001.01000000.00000004.sdmp, 12ss323fcw8gsd4bvd.exe, 00000003.00000002.2520774301.00000257C9F64000.00000004.00000020.00020000.00000000.sdmp, VTP1Ibi1ak.exe, 00000009.00000000.1281079166.00007FF69A976000.00000002.00000001.01000000.00000005.sdmp, VTP1Ibi1ak.exe, 00000009.00000002.2521051633.000002681CCF3000.00000004.00000020.00020000.00000000.sdmp, VTP1Ibi1ak.exe, 00000009.00000002.2522005948.00007FF69A976000.00000002.00000001.01000000.00000005.sdmp, VTP1Ibi1ak.exe, 0000000A.00000002.1310837494.00007FF69A976000.00000002.00000001.01000000.00000005.sdmp, VTP1Ibi1ak.exe, 0000000A.00000002.1309240478.0000024234A8B000.00000004.00000020.00020000.00000000.sdmp, VTP1Ibi1ak.exe, 0000000A.00000000.1304908077.00007FF69A976000.00000002.00000001.01000000.00000005.sdmp, VTP1Ibi1ak.exe.3.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: 12ss323fcw8gsd4bvd.exe	String found in binary or memory: Accept-Additions
Source: 12ss323fcw8gsd4bvd.exe	String found in binary or memory: List-Help
Source: 12ss323fcw8gsd4bvd.exe	String found in binary or memory: MMHS-Exempted-Address
Source: 12ss323fcw8gsd4bvd.exe	String found in binary or memory: Originator-Return-Address
Source: 12ss323fcw8gsd4bvd.exe	String found in binary or memory: id-cmc-addExtensions
Source: 12ss323fcw8gsd4bvd.exe	String found in binary or memory: set-addPolicy
Source: 12ss323fcw8gsd4bvd.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectorycw-outbodyheadercw_out, wrote %zu %s bytes -> %zuWrite callback asked for PAUSE when not supportedcw_out, PAUSE requested by clientclient returned ERROR on write of %zu bytesFailure writing output to destination, passed %zu returned %zd notcw-out is%spausedcw-out done--:--:--%2lld:%02lld:%02lld%3lldd %02lldh%7lldd%5lld%4lldk%2lld.%0lldM%4lldM%2lld.%0lldG%4lldG%4lldT%4lldP** Resuming transfer from byte position %lld

Source: unknown	Process created: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe "C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe"
Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe	Process created: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe "C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe'"	Jump to behavior
Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe	Process created: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe "C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe"	Jump to behavior

Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Loading BitLocker PowerShell Module

Source: 12ss323fcw8gsd4bvd.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 12ss323fcw8gsd4bvd.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 12ss323fcw8gsd4bvd.exe

Static file information: File size 15707648 > 1048576

Source: 12ss323fcw8gsd4bvd.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x135600
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xdb1000

Source: 12ss323fcw8gsd4bvd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 12ss323fcw8gsd4bvd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 12ss323fcw8gsd4bvd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Proj\MegaCrypt\MonsterCrypt\out\build\x64-release\MonsterCrypt.pdb source: 12ss323fcw8gsd4bvd.exe, VTP1Ibi1ak.exe.3.dr

Source: 12ss323fcw8gsd4bvd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 12ss323fcw8gsd4bvd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe

File created: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6207			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3464			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080	Thread sleep count: 6207 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep count: 3464 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: VTP1Ibi1ak.exe, 00000009.00000002.2520775737.000002681B214000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: VTP1Ibi1ak.exe, 0000000A.00000002.1309150073.000002423308F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe'"
Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe'"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe

Code function: 3_2_00007FF7AC14D1C4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00007FF7AC14D1C4

Source: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
12ss323fcw8gsd4bvd.exe	5%	Virustotal		Browse
12ss323fcw8gsd4bvd.exe	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://api.ipify.orgy:Feb:Feb	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	VTP1Ibi1ak.exe, 00000009.00000002.2520775737.000002681B214000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org/r:March:	VTP1Ibi1ak.exe, 00000009.00000002.2520775737.000002681B214000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.se/docs/hsts.html	12ss323fcw8gsd4bvd.exe, VTP1Ibi1ak.exe.3.dr	false		high
https://api.ipify.org	VTP1Ibi1ak.exe, 00000009.00000002.2520775737.000002681B214000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.se/docs/alt-svc.html	12ss323fcw8gsd4bvd.exe, VTP1Ibi1ak.exe.3.dr	false		high
https://api.ipify.org/August:S	VTP1Ibi1ak.exe, 00000009.00000002.2520775737.000002681B214000.00000004.00000020.00020000.00000000.sdmp	false		high
https://curl.se/docs/http-cookies.html	12ss323fcw8gsd4bvd.exe, VTP1Ibi1ak.exe.3.dr	false		high
https://api.ipify.orgy:Feb:Feb	VTP1Ibi1ak.exe, 00000009.00000002.2520775737.000002681B214000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.4.119.125	unknown	Germany		24940	HETZNER-ASDE	false
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1639740
Start date and time:	2025-03-16 06:37:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	12ss323fcw8gsd4bvd.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@8/6@1/3
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.245.163.56, 20.223.36.55, 150.171.28.10, 2.19.96.128
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, g.bing.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 12ss323fcw8gsd4bvd.exe, PID 7844 because there are no executed function
Execution Graph export aborted for target VTP1Ibi1ak.exe, PID 772 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:38:08	API Interceptor	20x Sleep call for process: powershell.exe modified
06:38:09	Task Scheduler	Run new task: MSTR tsk path: C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	LauncherV9.exe	Get hash	malicious	LummaC Stealer	Browse	api.ipify.org/
	Catch Me If You Can (2002) 1080p.BluRay.x264.Full 744MB.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=xml
	NightFixed 1.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	api.ipify.org/
	VRChat_ERP_Setup 1.0.0.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	wEY98gM1Jj.ps1	Get hash	malicious	LummaC Stealer	Browse	api.ipify.org/
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	DeepLauncher.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	[Huawei] Contract for YouTube partners.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Payment_Slip.pdf.exe	Get hash	malicious	Remcos, AgentTesla	Browse	104.26.12.205
	LauncherV9.exe	Get hash	malicious	LummaC Stealer	Browse	104.26.12.205
	b0hgYat.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Order.js	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	VSAXXKuhCu.exe	Get hash	malicious	Amadey, AsyncRAT	Browse	104.26.12.205
	https://pub-d8608ab2809441ca8bf5355b4fe14129.r2.dev/index.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	invoice.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	http://mellifluous-brioche.netlify.app/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://case-id-100052538.dafea.co.uk/	Get hash	malicious	Unknown	Browse	104.26.12.205
	Software Installer.exe	Get hash	malicious	Unknown	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	KYlzMNjRNn.exe	Get hash	malicious	AZORult	Browse	66.235.200.145
	SecuriteInfo.com.Win32.RATX-gen.20425.5895.exe	Get hash	malicious	Unknown	Browse	104.21.32.1
	SecuriteInfo.com.Win32.RATX-gen.3254.10881.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	SecuriteInfo.com.Win64.Evo-gen.10253.22166.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	file.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	RootkitBuilder.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	RootkitBuilder.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	ImageG.exe	Get hash	malicious	NovaSentinel	Browse	104.21.6.223
	ImageG.exe	Get hash	malicious	NovaSentinel	Browse	172.64.41.3
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bd0bf25947d4a37404f0424edf4db9ad	1.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	valorant_ESP_aimbot.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	setup.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Cb523jmji0.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	leFhB1aYaW.exe	Get hash	malicious	DCRat	Browse	104.26.12.205
	Loader.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	1.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	setup.msi	Get hash	malicious	Unknown	Browse	104.26.12.205
	5bf784.msi	Get hash	malicious	Unknown	Browse	104.26.12.205
	34.exe	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul/nq/llh:NllUyt
MD5:	AB80AD9A08E5B16132325DF5584B2CBE
SHA1:	F7411B7A5826EE6B139EBF40A7BEE999320EF923
SHA-256:	5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
SHA-512:	9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4q02lmao.5op.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cwu5hqws.vuj.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdarbtbk.5om.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xb05tu4q.mzq.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe

Process:	C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13577216
Entropy (8bit):	6.668299283121651
Encrypted:	false
SSDEEP:	196608:V28BF5UoykUxv987qMNR4Ok/RDpgPnqSuR3pfRkGJ6:Q8BhUxFUqMNR4Ok5DpgPnqSuR3pfRZ6
MD5:	7994502ED5C8FFE9FC84E164B440124E
SHA1:	3BF7C1BE79C753352B5A6787FB10D84918897887
SHA-256:	D6DC19434F42EAD855996F06F8292266D3DCEDEAB440F7DDD9F1710BADCF5C11
SHA-512:	5F41ED0FF3F3E062815CCA49D0A77842DB11B24F39B46BDF658D7F9CA3B2A7F80C164F64D8B71A827E7C7C40F2B5A13C2A6C3A92F09A34F86EABE5110A458C1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0@XO^.XO^.XO^..7].PO^..7[..O^..7Z.JO^.H..YO^.H.].RO^.H.Z.HO^.H.[..O^...Z.iO^..7_.SO^.XO_..O^...[.nO^....YO^...\.YO^.RichXO^.........................PE..d...v..g.........."....).J.....................@..........................................`.....................................................x....@.......P...............P...&......T.......................(.......@............`...............................text....I.......J.................. ..`.rdata..v....`.......N..............@..@.data....N.......,..................@....pdata.......P......................@..@.rsrc........@......................@..@.reloc...&...P...(..................@..B........................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.632052018237946
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	12ss323fcw8gsd4bvd.exe
File size:	15'707'648 bytes
MD5:	e601c2b74b5310c0ca14d51e7f280e31
SHA1:	964380d913023be7f01024ec1e1ad0a12b8ce09d
SHA256:	f2a1a5c3caed37986a16eca229a0f4a8a84f124a056c8af296beb4c218f55eb7
SHA512:	be5af5ab1149e7136b0736c1fa026611205fcbfcfa4f40feefb3b908cb29867da741ac69f475c67ea6624068122d4df88dcab6a5493a7a3f9c3a500bc164c794
SSDEEP:	393216:FBl8BhUxFUqMNR4Ok5DpgPnqSuR3pfRZ6:FBl8BWGbGZ
TLSH:	DAF6AE66A6B800E9D47B8078C9965617E772741903F097DB269457FA2F23BE03F3BB40
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0@XO^.XO^.XO^..7].PO^..7[..O^..7Z.JO^.H...YO^.H.].RO^.H.Z.HO^.H.[..O^...Z.iO^..7_.SO^.XO_..O^...[.nO^.....YO^...\.YO^.RichXO^

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400bc5e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D402AE [Fri Mar 14 10:19:26 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	c9d1ef3b58371b8177b0a6ccbdd16831

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBD38BE48A0h
dec eax
add esp, 28h
jmp 00007FBD38BE3AD7h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0007AD83h]
dec eax
mov ecx, ebx
call dword ptr [0007AD72h]
call dword ptr [0007AA54h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0007AD68h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [0007AD5Ch]
test eax, eax
je 00007FBD38BE3CC9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [00E2EE22h]
call 00007FBD38BE3FA2h
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00E2EF09h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00E2EE99h], eax
dec eax
mov eax, dword ptr [00E2EEF2h]
dec eax
mov dword ptr [00E2ED63h], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [00E2EE67h], eax
mov dword ptr [00E2ED3Dh], C0000409h
mov dword ptr [00E2ED37h], 00000001h
mov dword ptr [00E2ED41h], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xee6adc	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xefc000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xeed000	0xecf4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xefd000	0x26ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xec7710	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xec7a00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xec75d0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x137000	0x590	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x135504	0x135600	c40b3b7d5a759f7cee56e4689c7d9ced	False	0.41537799873737374	data	6.500046775555982	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x137000	0xdb0e9e	0xdb1000	45f00b919953cc3839c18cf8bd59958e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xee8000	0x4efc	0x2c00	44cdb414f75f2b532be0be900f427e68	False	0.15651633522727273	data	3.849439099818337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xeed000	0xecf4	0xee00	f1272e01fdfd4679e46dcc0035fd8585	False	0.5142463235294118	data	6.155924453292642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xefc000	0x1e0	0x200	f76a35e599edda0377fd46c32a79f7e8	False	0.53515625	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xefd000	0x26ec	0x2800	7631a572a4840f33345dd3075f47c4af	False	0.59384765625	data	6.3158741907646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xefc060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
ntdll.dll	RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind, RtlPcToFileHeader, RtlUnwindEx, RtlLeaveCriticalSection, RtlEnterCriticalSection, NtAllocateVirtualMemory, LdrEnumerateLoadedModules, RtlUnwind
KERNEL32.dll	GetCommandLineA, SetEndOfFile, LoadLibraryA, ExitProcess, CreateDirectoryA, SetFileAttributesA, GetTempPathA, CloseHandle, WaitForSingleObject, CreateProcessA, GetCurrentProcess, GetModuleFileNameW, lstrcpyW, lstrcatW, GetLastError, VirtualProtect, VirtualQueryEx, ReadProcessMemory, WriteProcessMemory, GetSystemInfo, GetCommandLineW, VirtualFree, VirtualQuery, GetProcAddress, OutputDebugStringA, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, GetLargePageMinimum, GetTimeZoneInformation, GetOEMCP, GetACP, WriteConsoleW, SetStdHandle, OutputDebugStringW, GetProcessHeap, SetEnvironmentVariableW, GetEnvironmentStringsW, VirtualAlloc, EncodePointer, IsValidCodePage, SetConsoleCtrlHandler, HeapQueryInformation, HeapSize, HeapReAlloc, LocalFree, FormatMessageA, GetLocaleInfoEx, SetCurrentDirectoryW, GetCurrentDirectoryW, CreateDirectoryW, CreateFileW, FindClose, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetDiskFreeSpaceExW, GetFileAttributesW, GetFileAttributesExW, GetFileInformationByHandle, GetFinalPathNameByHandleW, GetFullPathNameW, SetFileAttributesW, SetFileInformationByHandle, SetFileTime, GetTempPathW, AreFileApisANSI, DeviceIoControl, GetModuleHandleW, CreateDirectoryExW, CopyFileW, MoveFileExW, CreateHardLinkW, GetFileInformationByHandleEx, CreateSymbolicLinkW, MultiByteToWideChar, WideCharToMultiByte, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, GetCurrentThreadId, InitializeCriticalSectionEx, ReadConsoleW, DecodePointer, LCMapStringEx, QueryPerformanceCounter, QueryPerformanceFrequency, InitOnceExecuteOnce, CreateEventExW, CreateSemaphoreExW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetSystemTimeAsFileTime, GetTickCount64, FreeLibraryWhenCallbackReturns, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, GetStringTypeW, CompareStringEx, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, WakeAllConditionVariable, SleepConditionVariableSRW, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetModuleHandleExW, GetStdHandle, WriteFile, GetCurrentThread, HeapAlloc, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, FreeEnvironmentStringsW
SHELL32.dll	SHGetKnownFolderPath
ole32.dll	CoInitializeEx, CoUninitialize, CoTaskMemFree, CoGetObject
ADVAPI32.dll	OpenProcessToken, GetTokenInformation

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 16, 2025 06:38:08.193190098 CET	49720	7712	192.168.2.5	46.4.119.125
Mar 16, 2025 06:38:08.198728085 CET	7712	49720	46.4.119.125	192.168.2.5
Mar 16, 2025 06:38:08.198811054 CET	49720	7712	192.168.2.5	46.4.119.125
Mar 16, 2025 06:38:08.231427908 CET	49723	443	192.168.2.5	104.26.12.205
Mar 16, 2025 06:38:08.231457949 CET	443	49723	104.26.12.205	192.168.2.5
Mar 16, 2025 06:38:08.231533051 CET	49723	443	192.168.2.5	104.26.12.205
Mar 16, 2025 06:38:08.246609926 CET	49723	443	192.168.2.5	104.26.12.205
Mar 16, 2025 06:38:08.246644020 CET	443	49723	104.26.12.205	192.168.2.5
Mar 16, 2025 06:38:08.681760073 CET	443	49723	104.26.12.205	192.168.2.5
Mar 16, 2025 06:38:08.681839943 CET	49723	443	192.168.2.5	104.26.12.205
Mar 16, 2025 06:38:08.784522057 CET	49723	443	192.168.2.5	104.26.12.205
Mar 16, 2025 06:38:08.784641981 CET	443	49723	104.26.12.205	192.168.2.5
Mar 16, 2025 06:38:08.784720898 CET	49723	443	192.168.2.5	104.26.12.205
Mar 16, 2025 06:38:08.784790039 CET	49720	7712	192.168.2.5	46.4.119.125
Mar 16, 2025 06:38:08.789572001 CET	7712	49720	46.4.119.125	192.168.2.5
Mar 16, 2025 06:38:08.971412897 CET	7712	49720	46.4.119.125	192.168.2.5
Mar 16, 2025 06:38:09.021212101 CET	49720	7712	192.168.2.5	46.4.119.125

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 16, 2025 06:38:08.218269110 CET	64849	53	192.168.2.5	1.1.1.1
Mar 16, 2025 06:38:08.224929094 CET	53	64849	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 16, 2025 06:38:08.218269110 CET	192.168.2.5	1.1.1.1	0x3a2f	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 16, 2025 06:38:08.224929094 CET	1.1.1.1	192.168.2.5	0x3a2f	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Mar 16, 2025 06:38:08.224929094 CET	1.1.1.1	192.168.2.5	0x3a2f	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Mar 16, 2025 06:38:08.224929094 CET	1.1.1.1	192.168.2.5	0x3a2f	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false

Target ID:	3
Start time:	01:38:06
Start date:	16/03/2025
Path:	C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\12ss323fcw8gsd4bvd.exe"
Imagebase:	0x7ff7ac090000
File size:	15'707'648 bytes
MD5 hash:	E601C2B74B5310C0CA14D51E7F280E31
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	6
Start time:	01:38:06
Start date:	16/03/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe'"
Imagebase:	0x7ff7785e0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	01:38:06
Start date:	16/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7e2000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	01:38:07
Start date:	16/03/2025
Path:	C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe"
Imagebase:	0x7ff69a840000
File size:	13'577'216 bytes
MD5 hash:	7994502ED5C8FFE9FC84E164B440124E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	10
Start time:	01:38:09
Start date:	16/03/2025
Path:	C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\hjN43jS1b3\VTP1Ibi1ak.exe
Imagebase:	0x7ff69a840000
File size:	13'577'216 bytes
MD5 hash:	7994502ED5C8FFE9FC84E164B440124E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	01:38:10
Start date:	16/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff686060000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false