Windows Analysis Report
g3y89237.exe

Overview

General Information

Sample name: g3y89237.exe
Analysis ID: 1529307
MD5: 95a6d287978fa62ad30f26bae7aec73b
SHA1: 759461ef978d1fc7d8a0571980b0065b51a61531
SHA256: 48980f70da16b59927768b0e3a4d56c8c98e129f05f7f26b81847ffede708428
Tags: exerocketdocs-loluser-JAMESWT_MHT
Infos:

Detection

DcRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DcRat
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Malware Callback Communication
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: g3y89237.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: g3y89237.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.196.9.174:7777 -> 192.168.2.6:49813
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.196.9.174 7777 Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49813 -> 185.196.9.174:7777
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.9.174
Source: regsvr32.exe, 00000004.00000002.3418346673.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabG5
Source: regsvr32.exe, 00000004.00000002.3418346673.0000000002350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enen=b03f5f7&
Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2309860244.0000020BAA2B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://osoft.co
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91BB1000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.0000000002742000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.00000000026C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2311324939.0000020BAA37E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91BB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2304433922.0000020BA1C20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.regsvr32.exe.23d130d.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 4.2.regsvr32.exe.668bfd.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 4.2.regsvr32.exe.23d130d.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 4.2.regsvr32.exe.668bfd.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3418525753.00000000023D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.3417790081.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF5A810 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 0_2_00007FF70BF5A810
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36493C memset,HeapCreate,HeapAlloc,CreateTimerQueue,CreateEventW,GetModuleHandleA,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,DeleteFileW,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddressForCaller,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,GetLastError,memcpy,CloseHandle, 4_2_00007FFD8B36493C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B396DF0 NtReadFile, 4_2_00007FFD8B396DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B3753D0 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 4_2_00007FFD8B3753D0
Detected potential crypto function
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF44F70 0_2_00007FF70BF44F70
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF44FE2 0_2_00007FF70BF44FE2
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF81C00 0_2_00007FF70BF81C00
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF88550 0_2_00007FF70BF88550
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF818D9 0_2_00007FF70BF818D9
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF464CC 0_2_00007FF70BF464CC
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF5ED20 0_2_00007FF70BF5ED20
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF73D80 0_2_00007FF70BF73D80
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF5DDC0 0_2_00007FF70BF5DDC0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4BE10 0_2_00007FF70BF4BE10
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF50E10 0_2_00007FF70BF50E10
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF41E50 0_2_00007FF70BF41E50
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF69E80 0_2_00007FF70BF69E80
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4EF8C 0_2_00007FF70BF4EF8C
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF79F90 0_2_00007FF70BF79F90
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4EFFB 0_2_00007FF70BF4EFFB
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF88000 0_2_00007FF70BF88000
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF89040 0_2_00007FF70BF89040
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF52045 0_2_00007FF70BF52045
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF8C060 0_2_00007FF70BF8C060
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF77060 0_2_00007FF70BF77060
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F06B 0_2_00007FF70BF4F06B
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF6A06A 0_2_00007FF70BF6A06A
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF87090 0_2_00007FF70BF87090
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4A950 0_2_00007FF70BF4A950
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F9A5 0_2_00007FF70BF4F9A5
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF729B0 0_2_00007FF70BF729B0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF459C2 0_2_00007FF70BF459C2
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF489F0 0_2_00007FF70BF489F0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF69A10 0_2_00007FF70BF69A10
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4FA24 0_2_00007FF70BF4FA24
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF46A45 0_2_00007FF70BF46A45
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF64A70 0_2_00007FF70BF64A70
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF5BAC0 0_2_00007FF70BF5BAC0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF6DAD0 0_2_00007FF70BF6DAD0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4EB70 0_2_00007FF70BF4EB70
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF5FB80 0_2_00007FF70BF5FB80
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4EC30 0_2_00007FF70BF4EC30
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4FC94 0_2_00007FF70BF4FC94
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4CCD0 0_2_00007FF70BF4CCD0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF45526 0_2_00007FF70BF45526
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F583 0_2_00007FF70BF4F583
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F5A6 0_2_00007FF70BF4F5A6
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF6C5B0 0_2_00007FF70BF6C5B0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F5F5 0_2_00007FF70BF4F5F5
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF6A60F 0_2_00007FF70BF6A60F
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4663B 0_2_00007FF70BF4663B
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF45646 0_2_00007FF70BF45646
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF8F660 0_2_00007FF70BF8F660
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF73660 0_2_00007FF70BF73660
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF8F680 0_2_00007FF70BF8F680
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F69D 0_2_00007FF70BF4F69D
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF466A5 0_2_00007FF70BF466A5
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF7A700 0_2_00007FF70BF7A700
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF77750 0_2_00007FF70BF77750
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4B760 0_2_00007FF70BF4B760
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F7AB 0_2_00007FF70BF4F7AB
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F816 0_2_00007FF70BF4F816
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF87819 0_2_00007FF70BF87819
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF75850 0_2_00007FF70BF75850
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4C880 0_2_00007FF70BF4C880
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF81900 0_2_00007FF70BF81900
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF53120 0_2_00007FF70BF53120
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F166 0_2_00007FF70BF4F166
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF75160 0_2_00007FF70BF75160
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF8E1C0 0_2_00007FF70BF8E1C0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF7B1D0 0_2_00007FF70BF7B1D0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF441F8 0_2_00007FF70BF441F8
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF43200 0_2_00007FF70BF43200
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF87240 0_2_00007FF70BF87240
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF72260 0_2_00007FF70BF72260
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF46270 0_2_00007FF70BF46270
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF452E6 0_2_00007FF70BF452E6
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF6A2E7 0_2_00007FF70BF6A2E7
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F37A 0_2_00007FF70BF4F37A
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF5E3B0 0_2_00007FF70BF5E3B0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF45406 0_2_00007FF70BF45406
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF6A419 0_2_00007FF70BF6A419
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF70420 0_2_00007FF70BF70420
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF7C430 0_2_00007FF70BF7C430
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF64470 0_2_00007FF70BF64470
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F47C 0_2_00007FF70BF4F47C
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF4F4E9 0_2_00007FF70BF4F4E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD34784DFA 2_2_00007FFD34784DFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD3478B9F2 2_2_00007FFD3478B9F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD3478264D 2_2_00007FFD3478264D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD34788D70 2_2_00007FFD34788D70
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD3478BAFA 2_2_00007FFD3478BAFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD3478B300 2_2_00007FFD3478B300
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD34784270 2_2_00007FFD34784270
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD34788AB5 2_2_00007FFD34788AB5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD34783812 2_2_00007FFD34783812
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD34853C21 2_2_00007FFD34853C21
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36493C 4_2_00007FFD8B36493C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B3627CB 4_2_00007FFD8B3627CB
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36358F 4_2_00007FFD8B36358F
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B377C20 4_2_00007FFD8B377C20
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B37DAB0 4_2_00007FFD8B37DAB0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B38BB20 4_2_00007FFD8B38BB20
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36EB10 4_2_00007FFD8B36EB10
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B361B17 4_2_00007FFD8B361B17
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B38E8E0 4_2_00007FFD8B38E8E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B385910 4_2_00007FFD8B385910
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B398050 4_2_00007FFD8B398050
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B378010 4_2_00007FFD8B378010
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B38CEB0 4_2_00007FFD8B38CEB0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36AED0 4_2_00007FFD8B36AED0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B392ED0 4_2_00007FFD8B392ED0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B382E90 4_2_00007FFD8B382E90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B367E50 4_2_00007FFD8B367E50
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36237F 4_2_00007FFD8B36237F
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B38B400 4_2_00007FFD8B38B400
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B3832F0 4_2_00007FFD8B3832F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B379310 4_2_00007FFD8B379310
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B3771A4 4_2_00007FFD8B3771A4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B38E210 4_2_00007FFD8B38E210
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B37E0B0 4_2_00007FFD8B37E0B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B3940D0 4_2_00007FFD8B3940D0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B39F060 4_2_00007FFD8B39F060
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B390090 4_2_00007FFD8B390090
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36A120 4_2_00007FFD8B36A120
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B38C7D0 4_2_00007FFD8B38C7D0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B390760 4_2_00007FFD8B390760
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36182A 4_2_00007FFD8B36182A
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B3896F0 4_2_00007FFD8B3896F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B393620 4_2_00007FFD8B393620
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B3735F0 4_2_00007FFD8B3735F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B396540 4_2_00007FFD8B396540
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02416A1C 4_2_02416A1C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02416DF8 4_2_02416DF8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02417228 4_2_02417228
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0241A4D4 4_2_0241A4D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02415B40 4_2_02415B40
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02417CDC 4_2_02417CDC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD347914A8 4_2_00007FFD347914A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD34795F45 4_2_00007FFD34795F45
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD347A0E66 4_2_00007FFD347A0E66
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD3479719E 4_2_00007FFD3479719E
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD347A1C12 4_2_00007FFD347A1C12
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD3479CDCD 4_2_00007FFD3479CDCD
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD34797362 4_2_00007FFD34797362
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\g3y89237.exe Code function: String function: 00007FF70BF48ED0 appears 63 times
Source: C:\Users\user\Desktop\g3y89237.exe Code function: String function: 00007FF70BF4A360 appears 37 times
Source: C:\Users\user\Desktop\g3y89237.exe Code function: String function: 00007FF70BF5A0A0 appears 75 times
Source: C:\Users\user\Desktop\g3y89237.exe Code function: String function: 00007FF70BF8FD54 appears 72 times
Source: C:\Users\user\Desktop\g3y89237.exe Code function: String function: 00007FF70BF43C30 appears 78 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFD8B374C90 appears 109 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00007FFD8B368330 appears 69 times
PE file contains more sections than normal
Source: QEMs.ini.0.dr Static PE information: Number of sections : 11 > 10
Source: g3y89237.exe Static PE information: Number of sections : 11 > 10
Yara signature match
Source: 4.2.regsvr32.exe.23d130d.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 4.2.regsvr32.exe.668bfd.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 4.2.regsvr32.exe.23d130d.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 4.2.regsvr32.exe.668bfd.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3418525753.00000000023D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.3417790081.000000000064B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/7@0/2
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF5CCF0 memset,FormatMessageW,GetLastError,HeapFree,HeapFree, 0_2_00007FF70BF5CCF0
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF8C060 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,HeapFree,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,HeapFree,UnmapViewOfFile,CloseHandle,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree, 0_2_00007FF70BF8C060
Source: C:\Users\user\Desktop\g3y89237.exe File created: C:\Users\user\AppData\Roaming\QEMs.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\LsdacJlsbotslshJmsr
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\cbRHd
Source: C:\Users\user\Desktop\g3y89237.exe Mutant created: \Sessions\1\BaseNamedObjects\MUTEX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_es3wdygj.rbs.ps1 Jump to behavior
Source: g3y89237.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\g3y89237.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: g3y89237.exe ReversingLabs: Detection: 57%
Source: unknown Process created: C:\Users\user\Desktop\g3y89237.exe "C:\Users\user\Desktop\g3y89237.exe"
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini Jump to behavior
Source: C:\Users\user\Desktop\g3y89237.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\g3y89237.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\g3y89237.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\g3y89237.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: devenum.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: msdmo.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\g3y89237.exe File written: C:\Users\user\AppData\Roaming\QEMs.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: g3y89237.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: g3y89237.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)"
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36493C memset,HeapCreate,HeapAlloc,CreateTimerQueue,CreateEventW,GetModuleHandleA,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,DeleteFileW,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddressForCaller,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,GetLastError,memcpy,CloseHandle, 4_2_00007FFD8B36493C
PE file contains sections with non-standard names
Source: g3y89237.exe Static PE information: section name: .xdata
Source: QEMs.ini.0.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD3466D2A5 pushad ; iretd 2_2_00007FFD3466D2A6
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_023D4BC4 push es; retf 0000h 4_2_023D4BCC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_023D4C11 push es; retf 4_2_023D4C25
Drops PE files
Source: C:\Users\user\Desktop\g3y89237.exe File created: C:\Users\user\AppData\Roaming\QEMs.ini Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\g3y89237.exe File created: C:\Users\user\AppData\Roaming\QEMs.ini Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 25C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory allocated: 1A6C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4478 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5398 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Window / User API: threadDelayed 7597 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Window / User API: threadDelayed 2266 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\g3y89237.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\QEMs.ini Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\g3y89237.exe API coverage: 9.2 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 7.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 964 Thread sleep count: 4478 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 964 Thread sleep count: 5398 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2244 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4232 Thread sleep count: 7597 > 30 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 5956 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1212 Thread sleep count: 2266 > 30 Jump to behavior
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF44F70 GetSystemTimePreciseAsFileTime followed by cmp: cmp rax, 01h and CTI: jnbe 00007FF70BF45304h 0_2_00007FF70BF44F70
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF44F70 GetSystemTimePreciseAsFileTime followed by cmp: cmp rax, 01h and CTI: jnbe 00007FF70BF4542Ch 0_2_00007FF70BF44F70
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF44F70 GetSystemTimePreciseAsFileTime followed by cmp: cmp rax, 01h and CTI: jnbe 00007FF70BF45544h 0_2_00007FF70BF44F70
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF44F70 GetSystemTimePreciseAsFileTime followed by cmp: cmp rax, 01h and CTI: jnbe 00007FF70BF4566Ch 0_2_00007FF70BF44F70
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000002.00000002.2280528606.0000020B91DD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: regsvr32.exe, 00000004.00000002.3418346673.0000000002350000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00007FFD8B36493C memset,HeapCreate,HeapAlloc,CreateTimerQueue,CreateEventW,GetModuleHandleA,GetLastError,memset,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,AddVectoredExceptionHandler,NtQueryInformationProcess,NtQuerySystemInformation,NtOpenThread,RtlFreeHeap,NtGetContextThread,NtSetContextThread,NtClose,DeleteFileW,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddressForCaller,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateEventW,WaitForSingleObject,GetLastError,memcpy,CloseHandle, 4_2_00007FFD8B36493C
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF41180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF70BF41180
Source: C:\Users\user\Desktop\g3y89237.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 185.196.9.174 7777 Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\g3y89237.exe NtWriteFile: Indirect: 0x7FF70BF5A861 Jump to behavior
Sets debug register (to hijack the execution of another thread)
Source: C:\Windows\System32\regsvr32.exe Thread register set: 356 5 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{8C004488-0C84-408C-CC80-404C848444CC}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries)" Jump to behavior
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\regsvr32.exe "regsvr32" /s /i:INSTALL C:\Users\user\AppData/Roaming/QEMs.ini Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/qems.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{8c004488-0c84-408c-cc80-404c848444cc}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)"
Source: C:\Users\user\Desktop\g3y89237.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "register-scheduledtask -action (new-scheduledtaskaction -execute \"regsvr32\" -argument \"/s /i:install c:\users\user\appdata/roaming/qems.ini\") -trigger (new-scheduledtasktrigger -once -at (get-date).addminutes(1) -repetitioninterval (new-timespan -minutes 1)) -taskname 'microsoftedgeupdatetaskmachineua{8c004488-0c84-408c-cc80-404c848444cc}' -description 'default' -settings (new-scheduledtasksettingsset -allowstartifonbatteries -dontstopifgoingonbatteries)" Jump to behavior
Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002738000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3420968424.000000001B772000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.0000000002A00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002738000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF88550 GetCurrentProcessId,ProcessPrng,HeapFree,CreateNamedPipeW,GetLastError,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,CloseHandle, 0_2_00007FF70BF88550
Source: C:\Users\user\Desktop\g3y89237.exe Code function: 0_2_00007FF70BF44F70 CreateMutexA,GetLastError,SHGetKnownFolderPath,lstrlenW,CoTaskMemFree,GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,memcpy,memset,RtlFreeHeap,RtlFreeHeap,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree, 0_2_00007FF70BF44F70
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: regsvr32.exe, 00000004.00000002.3418346673.00000000023B2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3420402664.000000001B1C2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.3420402664.000000001B009000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\regsvr32.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected DcRat
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 356, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \\Electrum\\wall
Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb
Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \\Exodus\\exodus
Source: regsvr32.exe, 00000004.00000002.3418997736.0000000002A08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \\Exodus\\exodus
Source: powershell.exe, 00000002.00000002.2324083460.00007FFD34950000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Remote Access Functionality
barindex
Yara detected DcRat
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 356, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1529307 Sample: g3y89237.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 27 Suricata IDS alerts for network traffic 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 4 other signatures 2->33 7 g3y89237.exe 1 2->7         started        11 regsvr32.exe 1 4 2->11         started        process3 dnsIp4 21 C:\Users\user\AppData\Roaming\QEMs.ini, PE32+ 7->21 dropped 35 Suspicious powershell command line found 7->35 37 Found direct / indirect Syscall (likely to bypass EDR) 7->37 14 powershell.exe 37 7->14         started        17 regsvr32.exe 7->17         started        23 185.196.9.174, 49813, 7777 SIMPLECARRIERCH Switzerland 11->23 25 8.8.8.8 GOOGLEUS United States 11->25 39 System process connects to network (likely due to code injection or exploit) 11->39 41 Found many strings related to Crypto-Wallets (likely being stolen) 11->41 43 Sets debug register (to hijack the execution of another thread) 11->43 file5 signatures6 process7 signatures8 45 Found many strings related to Crypto-Wallets (likely being stolen) 14->45 47 Loading BitLocker PowerShell Module 14->47 19 conhost.exe 14->19         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.8.8.8
 unknown United States
15169 GOOGLEUS false
185.196.9.174
 unknown Switzerland
42624 SIMPLECARRIERCH true