Loading ...

Play interactive tourEdit tour

Analysis Report IJht2pqbVh

Overview

General Information

Sample Name:IJht2pqbVh (renamed file extension from none to exe)
Analysis ID:385060
MD5:2716659c3b1e8927dcb2e418e99b1ea5
SHA1:0428a2ead08f005f3c90a493e10207322d8a429b
SHA256:1ba9ef8703b10a0f158636a138b120835e9588c21ec2e78be898afcae54b0142
Tags:Ransomwarewintenzz
Infos:

Most interesting Screenshot:

Detection

Wintennz
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Wintennz Ransomware
Deletes shadow drive data (may be related to ransomware)
Drops HTML or HTM files to system directories
Drops PE files to the startup folder
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Suspicious powershell command line found
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • IJht2pqbVh.exe (PID: 7096 cmdline: 'C:\Users\user\Desktop\IJht2pqbVh.exe' MD5: 2716659C3B1E8927DCB2E418E99B1EA5)
    • powershell.exe (PID: 7148 cmdline: 'powershell' get-wmiobject win32_computersystem | fl model MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5992 cmdline: 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6396 cmdline: 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • vssadmin.exe (PID: 6588 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
        • vssadmin.exe (PID: 6976 cmdline: vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB MD5: 47D51216EF45075B5F7EAA117CC70E40)
    • cmd.exe (PID: 6552 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\rstrt.bat'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • iexplore.exe (PID: 6296 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6296 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • winstrt10.exe (PID: 3492 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe' MD5: 2716659C3B1E8927DCB2E418E99B1EA5)
    • powershell.exe (PID: 2792 cmdline: 'powershell' get-wmiobject win32_computersystem | fl model MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5996 cmdline: 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 492 cmdline: 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 4660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • vssadmin.exe (PID: 4684 cmdline: vssadmin.exe Delete Shadows /All /Quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
        • vssadmin.exe (PID: 7112 cmdline: vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB MD5: 47D51216EF45075B5F7EAA117CC70E40)
    • powershell.exe (PID: 6240 cmdline: 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 1584 cmdline: 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 2792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
IJht2pqbVh.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0xb21b1:$: DECRYPT.txt
IJht2pqbVh.exeJoeSecurity_WintennzYara detected Wintennz RansomwareJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
    • 0xb21b1:$: DECRYPT.txt
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeJoeSecurity_WintennzYara detected Wintennz RansomwareJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmpJoeSecurity_WintennzYara detected Wintennz RansomwareJoe Security
        00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmpJoeSecurity_WintennzYara detected Wintennz RansomwareJoe Security
          00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmpJoeSecurity_WintennzYara detected Wintennz RansomwareJoe Security
            00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmpJoeSecurity_WintennzYara detected Wintennz RansomwareJoe Security
              Process Memory Space: IJht2pqbVh.exe PID: 7096JoeSecurity_WintennzYara detected Wintennz RansomwareJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                22.2.winstrt10.exe.7ff78d1a0000.0.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0xb21b1:$: DECRYPT.txt
                22.2.winstrt10.exe.7ff78d1a0000.0.unpackJoeSecurity_WintennzYara detected Wintennz RansomwareJoe Security
                  0.2.IJht2pqbVh.exe.7ff606e10000.0.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                  • 0xb21b1:$: DECRYPT.txt
                  0.2.IJht2pqbVh.exe.7ff606e10000.0.unpackJoeSecurity_WintennzYara detected Wintennz RansomwareJoe Security
                    22.0.winstrt10.exe.7ff78d1a0000.0.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                    • 0xb21b1:$: DECRYPT.txt
                    Click to see the 3 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeMetadefender: Detection: 27%Perma Link
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeReversingLabs: Detection: 62%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: IJht2pqbVh.exeVirustotal: Detection: 49%Perma Link
                    Source: IJht2pqbVh.exeMetadefender: Detection: 27%Perma Link
                    Source: IJht2pqbVh.exeReversingLabs: Detection: 62%
                    Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
                    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49748 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 91.198.174.208:443 -> 192.168.2.4:49750 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 91.198.174.208:443 -> 192.168.2.4:49751 version: TLS 1.2
                    Source: IJht2pqbVh.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: C:\Users\wintenzz\wintenzz\target\release\deps\wntnproj.pdb source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E64F30 memset,FindFirstFileW,memmove,GetLastError,0_2_00007FF606E64F30
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
                    Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                    Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
                    Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
                    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
                    Source: unknownDNS traffic detected: queries for: 2no.co
                    Source: powershell.exe, 00000002.00000002.647554331.000002F13406A000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.655618500.00000252E04B7000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.738087210.0000019FC1C34000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.764899800.000001994F184000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.790451402.000001ADFDF08000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: powershell.exe, 00000017.00000002.739969866.0000019FC213B000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 00000017.00000002.739969866.0000019FC213B000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr-Fm
                    Source: powershell.exe, 00000002.00000002.639779450.000002F11BEA0000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.668145923.00000252D81C7000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.726558654.0000019FA9990000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.751433810.0000019936F41000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.639521979.000002F11BC91000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.657155045.00000252C8021000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.725579504.0000019FA9781000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.750960839.0000019936D31000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.778038630.000001ADE5B71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmpString found in binary or memory: http://www.myip.ch
                    Source: IJht2pqbVh.exe, IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmpString found in binary or memory: https://2no.co/2DetN5
                    Source: winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmpString found in binary or memory: https://bitcoin.org/en/buy
                    Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                    Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                    Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                    Source: powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000002.00000002.639988526.000002F11C05D000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.728977699.0000019FAA302000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000002.00000002.648382805.000002F134226000.00000004.00000001.sdmpString found in binary or memory: https://go.micros
                    Source: powershell.exe, 00000002.00000002.639779450.000002F11BEA0000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.668145923.00000252D81C7000.00000004.00000001.sdmp, powershell.exe, 00000017.00000002.726558654.0000019FA9990000.00000004.00000001.sdmp, powershell.exe, 0000001C.00000002.751433810.0000019936F41000.00000004.00000001.sdmp, powershell.exe, 00000024.00000002.778653736.000001ADE5D80000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmpString found in binary or memory: https://oneget.org
                    Source: powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgX
                    Source: powershell.exe, 00000002.00000002.641502261.000002F11C715000.00000004.00000001.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49748 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.4:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 91.198.174.208:443 -> 192.168.2.4:49750 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 91.198.174.208:443 -> 192.168.2.4:49751 version: TLS 1.2

                    Spam, unwanted Advertisements and Ransom Demands:

                    barindex
                    Yara detected Wintennz RansomwareShow sources
                    Source: Yara matchFile source: IJht2pqbVh.exe, type: SAMPLE
                    Source: Yara matchFile source: 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.794273843.00007FF78D252000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.674460187.00007FF606EC2000.00000002.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IJht2pqbVh.exe PID: 7096, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe, type: DROPPED
                    Source: Yara matchFile source: 22.2.winstrt10.exe.7ff78d1a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.IJht2pqbVh.exe.7ff606e10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.0.winstrt10.exe.7ff78d1a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.IJht2pqbVh.exe.7ff606e10000.0.unpack, type: UNPACKEDPE
                    Deletes shadow drive data (may be related to ransomware)Show sources
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                    Source: IJht2pqbVh.exe, 00000000.00000000.631159897.00007FF606EC2000.00000002.00020000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                    Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
                    Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
                    Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
                    Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
                    Source: vssadmin.exe, 00000008.00000002.659262931.000001F15A3F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
                    Source: vssadmin.exe, 00000008.00000002.659278208.000001F15A420000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quietvssadmin.exe Delete Shadows /All /QuietWinsta0\Default
                    Source: vssadmin.exe, 00000008.00000002.659278208.000001F15A420000.00000004.00000020.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                    Source: vssadmin.exe, 00000008.00000002.659505252.000001F15A6A5000.00000004.00000040.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quiet
                    Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
                    Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
                    Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
                    Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
                    Source: vssadmin.exe, 0000000B.00000002.661595761.0000021F321F0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
                    Source: winstrt10.exe, 00000016.00000000.714954572.00007FF78D252000.00000002.00020000.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                    Source: vssadmin.exe, 00000020.00000002.750372111.0000024D49870000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quietvssadmin.exe Delete Shadows /All /QuietWinsta0\Defaultm
                    Source: vssadmin.exe, 00000020.00000002.750372111.0000024D49870000.00000004.00000020.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet
                    Source: vssadmin.exe, 00000020.00000002.750372111.0000024D49870000.00000004.00000020.sdmpBinary or memory string: vssadmin.exe Delete Shadows /All /Quiet)
                    Source: vssadmin.exe, 00000020.00000002.750486932.0000024D49B64000.00000004.00000040.sdmpBinary or memory string: vssadmin.exeDeleteShadows/All/Quietz
                    Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
                    Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
                    Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
                    Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
                    Source: vssadmin.exe, 00000020.00000002.750276610.0000024D49820000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
                    Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
                    Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
                    Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
                    Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
                    Source: vssadmin.exe, 00000021.00000002.752712883.0000028F097C0000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
                    May disable shadow drive data (uses vssadmin)Show sources
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MBJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
                    Modifies existing user documents (likely ransomware behavior)Show sources
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeFile deleted: C:\Users\user\Desktop\LHEPQPGEWF.xlsxJump to behavior
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeFile deleted: C:\Users\user\Desktop\LHEPQPGEWF.xlsxJump to behavior
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeFile deleted: C:\Users\user\Desktop\BXAJUJAOEO\BXAJUJAOEO.docxJump to behavior
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeFile deleted: C:\Users\user\Desktop\BXAJUJAOEO\BXAJUJAOEO.docxJump to behavior
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeFile deleted: C:\Users\user\Desktop\LHEPQPGEWF\BQJUWOYRTO.pdfJump to behavior
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E33F500_2_00007FF606E33F50
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E9DDD00_2_00007FF606E9DDD0
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E5CDC00_2_00007FF606E5CDC0
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E14D3F0_2_00007FF606E14D3F
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E22CB00_2_00007FF606E22CB0
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E66C700_2_00007FF606E66C70
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E330200_2_00007FF606E33020
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E46F800_2_00007FF606E46F80
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E6C1200_2_00007FF606E6C120
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E478E00_2_00007FF606E478E0
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E5C5C00_2_00007FF606E5C5C0
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E31D700_2_00007FF606E31D70
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E457200_2_00007FF606E45720
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E3E6F00_2_00007FF606E3E6F0
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E5AE400_2_00007FF606E5AE40
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E63B400_2_00007FF606E63B40
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E62B400_2_00007FF606E62B40
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E765200_2_00007FF606E76520
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E3E5100_2_00007FF606E3E510
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E3EA300_2_00007FF606E3EA30
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E79A000_2_00007FF606E79A00
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E7A9F00_2_00007FF606E7A9F0
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E6E9500_2_00007FF606E6E950
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E3E3000_2_00007FF606E3E300
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E782B00_2_00007FF606E782B0
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E76A500_2_00007FF606E76A50
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFA35A461962_2_00007FFA35A46196
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFA35A46F422_2_00007FFA35A46F42
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFA35A419A82_2_00007FFA35A419A8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFA35A41A302_2_00007FFA35A41A30
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1ECDC022_2_00007FF78D1ECDC0
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D22DDD022_2_00007FF78D22DDD0
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1F6C7022_2_00007FF78D1F6C70
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1EAE4022_2_00007FF78D1EAE40
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1CE6F022_2_00007FF78D1CE6F0
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1A4D3F22_2_00007FF78D1A4D3F
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D20652022_2_00007FF78D206520
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1C1D7022_2_00007FF78D1C1D70
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1EC5C022_2_00007FF78D1EC5C0
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1C302022_2_00007FF78D1C3020
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1D78E022_2_00007FF78D1D78E0
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1C3F5022_2_00007FF78D1C3F50
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1D572022_2_00007FF78D1D5720
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1D6F8022_2_00007FF78D1D6F80
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D206A5022_2_00007FF78D206A50
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1CEA3022_2_00007FF78D1CEA30
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D2082B022_2_00007FF78D2082B0
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1CE30022_2_00007FF78D1CE300
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1FE95022_2_00007FF78D1FE950
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1FC12022_2_00007FF78D1FC120
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D209A0022_2_00007FF78D209A00
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D20A9F022_2_00007FF78D20A9F0
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1B2CB022_2_00007FF78D1B2CB0
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1CE51022_2_00007FF78D1CE510
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1F3B4022_2_00007FF78D1F3B40
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: 22_2_00007FF78D1F2B4022_2_00007FF78D1F2B40
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFA347F61A623_2_00007FFA347F61A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFA347F6F5223_2_00007FFA347F6F52
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFA347F0D6D23_2_00007FFA347F0D6D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFA347F28A323_2_00007FFA347F28A3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FFA347F26F723_2_00007FFA347F26F7
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFA347E0D6D28_2_00007FFA347E0D6D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 28_2_00007FFA347E198028_2_00007FFA347E1980
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: String function: 00007FF606E75680 appears 38 times
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeCode function: String function: 00007FF78D205680 appears 38 times
                    Source: IJht2pqbVh.exe, type: SAMPLEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe, type: DROPPEDMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
                    Source: 22.2.winstrt10.exe.7ff78d1a0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
                    Source: 0.2.IJht2pqbVh.exe.7ff606e10000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
                    Source: 22.0.winstrt10.exe.7ff78d1a0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
                    Source: 0.0.IJht2pqbVh.exe.7ff606e10000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
                    Source: classification engineClassification label: mal88.rans.adwa.evad.winEXE@44/168@2/3
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeCode function: 0_2_00007FF606E65960 memset,GetModuleHandleW,FormatMessageW,GetLastError,0_2_00007FF606E65960
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4660:120:WilError_01
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyale023.ea2.ps1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
                    Source: IJht2pqbVh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: IJht2pqbVh.exeVirustotal: Detection: 49%
                    Source: IJht2pqbVh.exeMetadefender: Detection: 27%
                    Source: IJht2pqbVh.exeReversingLabs: Detection: 62%
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeFile read: C:\Users\user\Desktop\IJht2pqbVh.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\IJht2pqbVh.exe 'C:\Users\user\Desktop\IJht2pqbVh.exe'
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem | fl model
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\rstrt.bat''
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTOPEN_ote.html
                    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6296 CREDAT:17410 /prefetch:2
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exe'
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem | fl model
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runas
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem | fl modelJump to behavior
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runasJump to behavior
                    Source: C:\Users\user\Desktop\IJht2pqbVh.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\rstrt.bat''Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat' Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /QuietJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MBJump to behavior
                    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6296 CREDAT:17410 /prefetch:2Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' get-wmiobject win32_computersystem | fl modelJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runasJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winstrt10.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell' Start-Process C:\ProgramData\winfrce.bat -Verb runasJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C 'C:\ProgramData\winfrce.bat'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe'