Windows Analysis Report
psol.txt.ps1

Overview

General Information

Sample name: psol.txt.ps1
Analysis ID: 1561458
MD5: a08cd6c1b50f050a764180741c3b32c4
SHA1: 8e490919f1fa3ee1a75fd59fa3426d95cc455bd4
SHA256: 47110ef49f5b24c718d63e79c4cbbb0121bdfc4889d42febe5a5409a2f2f3899
Tags: FakeCaptchaps1user-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Powershell drops PE file
Sample uses string decryption to hide its real strings
Uses an obfuscated file name to hide its real file extension (double extension)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://marshal-zhukov.com/apie; Avira URL Cloud: Label: malware
Source: https://p10tgrace.sbs:443/api Avira URL Cloud: Label: malware
Source: https://owner-vacat10n.sbs:443/api Avira URL Cloud: Label: malware
Source: https://pub-7a0525921ff54f1193db83d7303c6ee8.r2.dev/poltos.zip Avira URL Cloud: Label: phishing
Source: https://p3ar11fter.sbs:443/api- Avira URL Cloud: Label: malware
Source: https://marshal-zhukov.com/api&; Avira URL Cloud: Label: malware
Found malware configuration
Source: setup.exe.2472.5.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["w0rdergen1.cyou", "p3ar11fter.sbs", "processhol.sbs", "p10tgrace.sbs", "3xp3cts1aim.sbs", "peepburry828.sbs"], "Build id": "MeHdy4--pl8vs06"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: psol.txt.ps1 ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.2% probability
Sample uses string decryption to hide its real strings
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: p3ar11fter.sbs
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: 3xp3cts1aim.sbs
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: peepburry828.sbs
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: p10tgrace.sbs
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: processhol.sbs
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: w0rdergen1.cyou
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: unknown HTTPS traffic detected: 172.66.0.235:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.160.80:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: Binary string: D:\a\1\s\src\AdonisUI\obj\Release\net45\AdonisUI.pdbSHA256 source: powershell.exe, 00000000.00000002.2554907242.000001E72DB90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\src\AdonisUI.ClassicTheme\obj\Release\net45\AdonisUI.ClassicTheme.pdb source: powershell.exe, 00000000.00000002.2554907242.000001E72DB4C000.00000004.00000800.00020000.00000000.sdmp, AdonisUI.ClassicTheme.dll.0.dr
Source: Binary string: D:\a\1\s\src\AdonisUI.ClassicTheme\obj\Release\net45\AdonisUI.ClassicTheme.pdbSHA256a source: powershell.exe, 00000000.00000002.2554907242.000001E72DB4C000.00000004.00000800.00020000.00000000.sdmp, AdonisUI.ClassicTheme.dll.0.dr
Source: Binary string: D:\a\1\s\src\AdonisUI\obj\Release\net45\AdonisUI.pdb source: powershell.exe, 00000000.00000002.2554907242.000001E72DB90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp dword ptr [esi+edi*8], AF0E0C2Eh 5_2_0234F377
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+6C9BFD46h] 5_2_0234F377
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov dword ptr [esp+04h], esi 5_2_0231F38D
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then inc eax 5_2_02332857
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000001F0h] 5_2_0231F057
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000001F0h] 5_2_023200FB
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx-2E5CCB3Ah] 5_2_023538E7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+3C5A9263h] 5_2_0231F93F
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 5_2_023139A7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then jmp edx 5_2_023169AD
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp al, 20h 5_2_023141CE
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov ebx, ecx 5_2_0231D637
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+5358945Bh] 5_2_0233FE17
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov byte ptr [edi], dl 5_2_0233FE17
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+45h] 5_2_02315E67
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch] 5_2_0234EE47
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh 5_2_02313E47
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 61813E67h 5_2_0233AE97
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 61813E67h 5_2_0233AE97
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edx, byte ptr [ecx+esi] 5_2_02314727
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov edx, eax 5_2_0232AF57
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp ecx, 02h 5_2_023197C7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov eax, ebp 5_2_02317C27
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov eax, ebp 5_2_02317C27
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then add esi, edi 5_2_0234C467
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax] 5_2_02352D77
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+01AFCF4Ch] 5_2_0231CDA7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then add esi, edi 5_2_02CCA9D0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx-2E5CCB3Ah] 5_2_02CD1E50
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000001F0h] 5_2_02C9E664
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax] 5_2_02CD12E0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ecx, byte ptr [edi+eax] 5_2_02CAB2A3
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov ebx, ecx 5_2_02C9BBCF
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov ecx, dword ptr [esi+08h] 5_2_02CA9BC5
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+45h] 5_2_02C943D0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+5358945Bh] 5_2_02CBE380
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov byte ptr [edi], dl 5_2_02CBE380
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov ebx, ecx 5_2_02C9BBA0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh 5_2_02C923B0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch] 5_2_02CCD3B0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+01AFCF4Ch] 5_2_02C9B310
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp dword ptr [esi+edi*8], AF0E0C2Eh 5_2_02CCD8E0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+6C9BFD46h] 5_2_02CCD8E0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov dword ptr [esp+04h], esi 5_2_02C9D8F6
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov word ptr [eax], dx 5_2_02CA91D1
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov eax, ebp 5_2_02C96190
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov eax, ebp 5_2_02C96190
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edi, byte ptr [ebx+ecx] 5_2_02CAB108
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+3C5A9263h] 5_2_02C9DEA8
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov ecx, eax 5_2_02CABE0E
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 5_2_02C91F10
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then jmp edx 5_2_02C94F16
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp al, 20h 5_2_02C92737
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edx, byte ptr [esi+ecx-054FE7FCh] 5_2_02CAACCD
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then mov edx, eax 5_2_02CA94C0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx edx, byte ptr [ecx+esi] 5_2_02C92C90
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx ecx, byte ptr [ebx+eax+288697BFh] 5_2_02CABCB6
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 61813E67h 5_2_02CB9400
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 61813E67h 5_2_02CB9400
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000001F0h] 5_2_02C9D5C0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then inc eax 5_2_02CB0DC0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 4x nop then cmp ecx, 02h 5_2_02C97D30

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057662 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p10tgrace .sbs) : 192.168.2.5:64103 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057668 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) : 192.168.2.5:62687 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057415 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (marshal-zhukov .com) : 192.168.2.5:58971 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057666 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peepburry828 .sbs) : 192.168.2.5:58874 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49829 -> 172.67.160.80:443
Source: Network traffic Suricata IDS: 2057696 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (peepburry828 .sbs) : 192.168.2.5:58874 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057697 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) : 192.168.2.5:62687 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057660 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owner-vacat10n .sbs) : 192.168.2.5:56245 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49823 -> 172.67.160.80:443
Source: Network traffic Suricata IDS: 2057652 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (3xp3cts1aim .sbs) : 192.168.2.5:57937 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057695 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (3xp3cts1aim .sbs) : 192.168.2.5:57937 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057664 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (p3ar11fter .sbs) : 192.168.2.5:56059 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057698 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (p3ar11fter .sbs) : 192.168.2.5:56059 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057658 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) : 192.168.2.5:63404 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057654 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (befall-sm0ker .sbs) : 192.168.2.5:63153 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49823 -> 172.67.160.80:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49823 -> 172.67.160.80:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49817 -> 23.55.153.106:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: w0rdergen1.cyou
Source: Malware configuration extractor URLs: p3ar11fter.sbs
Source: Malware configuration extractor URLs: processhol.sbs
Source: Malware configuration extractor URLs: p10tgrace.sbs
Source: Malware configuration extractor URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor URLs: peepburry828.sbs
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.55.153.106 23.55.153.106
Source: Joe Sandbox View IP Address: 172.66.0.235 172.66.0.235
Source: Joe Sandbox View IP Address: 172.66.0.235 172.66.0.235
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49829 -> 172.67.160.80:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49823 -> 172.67.160.80:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49817 -> 23.55.153.106:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /poltos.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pub-7a0525921ff54f1193db83d7303c6ee8.r2.devConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marshal-zhukov.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /poltos.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pub-7a0525921ff54f1193db83d7303c6ee8.r2.devConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://twitter.com/share?original_referer=http://www.wisecleaner.com/&source=tweetbutton&text=A simple way to delete files blocked by something you do not know.&url=http://www.wisecleaner.com/&via=wisecleanerSVWU equals www.twitter.com (Twitter)
Source: setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.facebook.com/plugins/likebox.php?href=https://www.facebook.com/wisecleanersoft&width=292&height=62&colorscheme=light&show_faces=false&header=false&stream=false&show_border=true&appId=1387712684775306U equals www.facebook.com (Facebook)
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytim equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: pub-7a0525921ff54f1193db83d7303c6ee8.r2.dev
Source: global traffic DNS traffic detected: DNS query: w0rdergen1.cyou
Source: global traffic DNS traffic detected: DNS query: processhol.sbs
Source: global traffic DNS traffic detected: DNS query: librari-night.sbs
Source: global traffic DNS traffic detected: DNS query: befall-sm0ker.sbs
Source: global traffic DNS traffic detected: DNS query: p10tgrace.sbs
Source: global traffic DNS traffic detected: DNS query: peepburry828.sbs
Source: global traffic DNS traffic detected: DNS query: owner-vacat10n.sbs
Source: global traffic DNS traffic detected: DNS query: 3xp3cts1aim.sbs
Source: global traffic DNS traffic detected: DNS query: p3ar11fter.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: marshal-zhukov.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marshal-zhukov.com
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/275944
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/378067
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/437891.
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/456214
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/510270
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/642141
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/672186).
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/819404
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/932466
Source: resources.pak0.0.dr String found in binary or memory: http://crbug.com/957772
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://info.wisecleaner.com/messages/index.php?to=checknews&pid=%dU
Source: powershell.exe, 00000000.00000002.2583471088.000001E73BB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2583471088.000001E73BA0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp, rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsps.ssl.com0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsps.ssl.com0?
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BBC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000000.00000002.2554907242.000001E72B9A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://service.weibo.com/share/share.php?url=https%3A%2F%2Fwww.wisecleaner.com.cn
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sslcom.crl.certum.pl/ctnca.crl0s
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sslcom.ocsp-certum.com08
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sslcom.repository.certum.pl/ctnca.cer0:
Source: setup.exe, 00000005.00000003.2782062262.00000000009E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.8=
Source: setup.exe, 00000005.00000003.2782062262.00000000009E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cooki
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: setup.exe, 00000005.00000003.2782062262.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://tieba.baidu.com/f/commit/share/openShareApi?url=https://www.wisecleaner.com.cn
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BBC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp, Register.dll.0.dr String found in binary or memory: http://www.indyproject.org/
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DACC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.thomaslevesque.com/2009/03/27/wpf-automatically-sort-a-gridview-when-a-column-header-is-c
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72C2F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72C32E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72C2EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.unicode.org/reporting.html
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.com
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.com/&via=wisecleanerSVWU
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.com/news/w365info.htmU
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.com/software_update/getinfo.php?p_id=7
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.net/install_statistics/index.php?p=install_statistics
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.net/wisecleaner_feedback/index.php?to=fetch-unread-message
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.net/wisecleaner_feedback/index.php?to=home
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.net/wisecleaner_feedback/index.php?to=my-feedback
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.net/wisecleaner_feedback/index.php?to=my-feedbackU
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.net/wisecleaner_feedback/index.php?to=question
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.net/wisecleaner_feedback/index.php?to=upload-fileU
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.wisecleaner.net/wisecleaner_feedback/index.php?to=write-questionhttp://www.wisecleaner.ne
Source: setup.exe, 00000005.00000003.2777562300.00000000009FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://3xp3cts1aim.sbs:443/api
Source: powershell.exe, 00000000.00000002.2554907242.000001E72B9A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.cw
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: hr.pak.0.dr, am.pak.0.dr String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/entry?template=Safety
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/
Source: setup.exe, 00000005.00000003.2782062262.00000000009E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/publD:
Source: setup.exe, 00000005.00000003.2777562300.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782014101.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=TtnlHyaDdydL&a
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: setup.exe, 00000005.00000003.2777562300.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: setup.exe, 00000005.00000002.2784098293.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/
Source: setup.exe, 00000005.00000003.2777562300.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782014101.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: setup.exe, 00000005.00000003.2777562300.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782014101.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=Cjx2-oLb
Source: setup.exe, 00000005.00000003.2777562300.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782014101.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=1aq3
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782014101.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782014101.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782014101.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=utrRJIcYVmWz&l=e
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/share
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_rei
Source: setup.exe, 00000005.00000003.2782014101.0000000000A88000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tv~
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/publich
Source: powershell.exe, 00000000.00000002.2583471088.000001E73BA0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2583471088.000001E73BA0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2583471088.000001E73BA0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: resources.pak0.0.dr String found in binary or memory: https://crbug.com/1201800
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://forum.wisecleaner.com/S
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BBC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DB90000.00000004.00000800.00020000.00000000.sdmp, AdonisUI.ClassicTheme.dll.0.dr String found in binary or memory: https://github.com/benruehl/adonis-ui.git
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DACC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/micdenny/WpfScreenHelper/
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/novotnyllc/bc-csharp
Source: setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/8
Source: setup.exe, 00000005.00000002.2784098293.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/P?1
Source: setup.exe, 00000005.00000003.2782062262.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api&;
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/api5zQ
Source: setup.exe, 00000005.00000002.2784098293.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apiN
Source: setup.exe, 00000005.00000002.2784098293.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apie;
Source: setup.exe, 00000005.00000003.2782062262.0000000000A35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com/apisT
Source: setup.exe, 00000005.00000003.2782062262.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com:443/api
Source: setup.exe, 00000005.00000003.2782062262.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.00000000009FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://marshal-zhukov.com:443/apiN
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: powershell.exe, 00000000.00000002.2583471088.000001E73BB50000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2583471088.000001E73BA0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: setup.exe, 00000005.00000003.2782062262.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.00000000009FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://owner-vacat10n.sbs:443/api
Source: setup.exe, 00000005.00000003.2782062262.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.00000000009FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p10tgrace.sbs:443/api
Source: setup.exe, 00000005.00000003.2782062262.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.00000000009FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://p3ar11fter.sbs:443/api-
Source: setup.exe, 00000005.00000003.2782062262.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.00000000009FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://peepburry828.sbs:443/api5
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: setup.exe, 00000005.00000003.2782062262.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.00000000009FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://processhol.sbs:443/api
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BBC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pub-7a0525921ff54f1193db83d7303c6ee8.r2.dev
Source: powershell.exe, 00000000.00000002.2554907242.000001E72BBC8000.00000004.00000800.00020000.00000000.sdmp, psol.txt.ps1 String found in binary or memory: https://pub-7a0525921ff54f1193db83d7303c6ee8.r2.dev/poltos.zip
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytim
Source: rtl120.bpl.0.dr, Register.dll.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=https%3A%2F%2Fwww.wisecleaner.com.cn
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: setup.exe, 00000005.00000003.2777562300.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: setup.exe, 00000005.00000003.2782062262.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: setup.exe, 00000005.00000003.2777562300.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: setup.exe, 00000005.00000003.2782062262.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.00000000009FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C820d04e8bfee2ac
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: setup.exe, 00000005.00000003.2782062262.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 00000000.00000002.2554907242.000001E72D424000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D14B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D48A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D232000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D37F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D33C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D275000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D18F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D4CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D2FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D2B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72D3C1000.00000004.00000800.00020000.00000000.sdmp, fr.pak.0.dr, hr.pak.0.dr, am.pak.0.dr String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://system.data.sqlite.org/
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://twitter.com/share?original_referer=http://www.wisecleaner.com/&source=tweetbutton&text=A
Source: setup.exe, 00000005.00000003.2782062262.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000002.2784098293.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.00000000009FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://w0rdergen1.cyou:443/apiw
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://wisecleaner.com/help/wiseforcedeleter/S
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.certum.pl/CPS0
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DACC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.codeproject.com/Articles/54472/Defining-WPF-Adorners-in-XAML
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: powershell.exe, 00000000.00000002.2554907242.000001E72DA30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sqlite.org/copyright.html2
Source: powershell.exe, 00000000.00000002.2554907242.000001E72C633000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2697940557.00000000034F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ssl.com/repository0
Source: setup.exe, 00000005.00000003.2777471650.0000000000A84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.wisecleaner.com/help.htmlS
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.wisecleaner.com/language.htmlU
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.wisecleaner.com/wise-force-deleter.html
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.wisecleaner.com/wise-force-deleter.htmlU
Source: setup.exe, 00000005.00000003.2697940557.00000000031E6000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000000.2546385365.0000000000418000.00000020.00000001.01000000.00000008.sdmp String found in binary or memory: https://www.wisecleaner.comU
Source: setup.exe, 00000005.00000003.2777562300.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2782062262.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown HTTPS traffic detected: 172.66.0.235:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.160.80:443 -> 192.168.2.5:49823 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CC5990 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_02CC5990
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CC5990 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_02CC5990

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x64\AdonisUI.ClassicTheme.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x64\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x64\AdonisUI.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Register.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\libvlccore.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\libvlccore.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\rtl120.bpl Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x86\BouncyCastle.Crypto.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\Register.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x86\SQLite.Interop.dll Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_023629DA NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 5_2_023629DA
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 0_2_00007FF848E569D8 0_2_00007FF848E569D8
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_023629DA 5_2_023629DA
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231061A 5_2_0231061A
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231EA79 5_2_0231EA79
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02314A67 5_2_02314A67
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231AB27 5_2_0231AB27
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0234BB17 5_2_0234BB17
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231F38D 5_2_0231F38D
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02318817 5_2_02318817
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231C065 5_2_0231C065
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02332857 5_2_02332857
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0234B8B7 5_2_0234B8B7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_023200FB 5_2_023200FB
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02318147 5_2_02318147
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231B987 5_2_0231B987
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_023471D7 5_2_023471D7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_023339C7 5_2_023339C7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231A637 5_2_0231A637
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02315E67 5_2_02315E67
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0234BE47 5_2_0234BE47
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0233AE97 5_2_0233AE97
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0232F717 5_2_0232F717
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_023197C7 5_2_023197C7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02317C27 5_2_02317C27
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0234C467 5_2_0234C467
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02315467 5_2_02315467
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02318CB7 5_2_02318CB7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02317538 5_2_02317538
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231B527 5_2_0231B527
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02331D07 5_2_02331D07
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231CDA7 5_2_0231CDA7
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C99090 5_2_02C99090
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CCA9D0 5_2_02CCA9D0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C9E664 5_2_02C9E664
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C9A5CE 5_2_02C9A5CE
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C99A90 5_2_02C99A90
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C95AA4 5_2_02C95AA4
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CB0270 5_2_02CB0270
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C97220 5_2_02C97220
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C943D0 5_2_02C943D0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C98BA0 5_2_02C98BA0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CCA3B0 5_2_02CCA3B0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C9B310 5_2_02C9B310
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C9D8F6 5_2_02C9D8F6
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CCA080 5_2_02CCA080
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C939D0 5_2_02C939D0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C96190 5_2_02C96190
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CAB108 5_2_02CAB108
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C99EF0 5_2_02C99EF0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C966B0 5_2_02C966B0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CC9E20 5_2_02CC9E20
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C92FD0 5_2_02C92FD0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C9CFE2 5_2_02C9CFE2
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CC5740 5_2_02CC5740
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CB1F30 5_2_02CB1F30
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CAACCD 5_2_02CAACCD
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CADC80 5_2_02CADC80
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CB9400 5_2_02CB9400
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CB0DC0 5_2_02CB0DC0
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C96D80 5_2_02C96D80
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CAA50F 5_2_02CAA50F
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02C97D30 5_2_02C97D30
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Extracted1\Register.dll 372B14FCE2EB35B264F6D4AEEF7987DA56D951D3A09EF866CF55ED72763CAA12
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Extracted1\libvlccore.dll 9126D9ABF91585456000FFFD9336478E91B9EA07ED2A25806A4E2E0437F96D29
PE file contains more sections than normal
Source: libvlccore.dll0.0.dr Static PE information: Number of sections : 12 > 10
Source: libvlccore.dll.0.dr Static PE information: Number of sections : 12 > 10
Yara signature match
Source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: MinionPro-BoldIt.otf.0.dr Binary or memory string: .SLngd
Source: powershell.exe, 00000000.00000002.2549359328.000001E729AE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;.VBpuy
Source: classification engine Classification label: mal100.troj.evad.winPS1@4/231@12/3
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02310D2A CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,Thread32Next, 5_2_02310D2A
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CCA9D0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,GetVolumeInformationW, 5_2_02CCA9D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5832:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lawaq4la.agj.ps1 Jump to behavior
Source: Yara match File source: 5.0.setup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.2697940557.00000000031CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2546385365.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Extracted1\resource_\rtl120.bpl, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe, type: DROPPED
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: psol.txt.ps1 ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\psol.txt.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\Extracted1\setup.exe "C:\Users\user\AppData\Roaming\Extracted1\setup.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\Extracted1\setup.exe "C:\Users\user\AppData\Roaming\Extracted1\setup.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: D:\a\1\s\src\AdonisUI\obj\Release\net45\AdonisUI.pdbSHA256 source: powershell.exe, 00000000.00000002.2554907242.000001E72DB90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\1\s\src\AdonisUI.ClassicTheme\obj\Release\net45\AdonisUI.ClassicTheme.pdb source: powershell.exe, 00000000.00000002.2554907242.000001E72DB4C000.00000004.00000800.00020000.00000000.sdmp, AdonisUI.ClassicTheme.dll.0.dr
Source: Binary string: D:\a\1\s\src\AdonisUI.ClassicTheme\obj\Release\net45\AdonisUI.ClassicTheme.pdbSHA256a source: powershell.exe, 00000000.00000002.2554907242.000001E72DB4C000.00000004.00000800.00020000.00000000.sdmp, AdonisUI.ClassicTheme.dll.0.dr
Source: Binary string: D:\a\1\s\src\AdonisUI\obj\Release\net45\AdonisUI.pdb source: powershell.exe, 00000000.00000002.2554907242.000001E72DB90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2015\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: powershell.exe, 00000000.00000002.2554907242.000001E72BE7A000.00000004.00000800.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: AdonisUI.ClassicTheme.dll.0.dr Static PE information: 0xCA5C7745 [Sun Aug 1 15:31:17 2077 UTC]
PE file contains sections with non-standard names
Source: setup.exe.0.dr Static PE information: section name: .didata
Source: libvlccore.dll.0.dr Static PE information: section name: .buildid
Source: libvlccore.dll.0.dr Static PE information: section name: /4
Source: libvlccore.dll0.0.dr Static PE information: section name: .buildid
Source: libvlccore.dll0.0.dr Static PE information: section name: /4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_023239CE push esp; iretd 5_2_023239CF
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02323760 push esp; iretd 5_2_02323761
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CA794A push ebp; retf 5_2_02CA794B
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x64\AdonisUI.ClassicTheme.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x64\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x64\AdonisUI.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Register.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\libvlccore.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\libvlccore.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\rtl120.bpl Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x86\BouncyCastle.Crypto.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\Register.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x86\SQLite.Interop.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Extracted1\resource_\rtl120.bpl Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: txt.ps1 Static PE information: psol.txt.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4968 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4912 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 1574 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x64\AdonisUI.ClassicTheme.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x64\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x64\AdonisUI.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\resource_\Register.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\resource_\libvlccore.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\libvlccore.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\resource_\rtl120.bpl Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x86\BouncyCastle.Crypto.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\resource_\Font\Pfm\Locals\x86\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Extracted1\Register.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7160 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2412 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe TID: 2820 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe TID: 7064 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries keyboard layouts
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: setup.exe, 00000005.00000003.2782062262.00000000009E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: setup.exe, 00000005.00000003.2777562300.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2777562300.0000000000A30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.2586241744.000001E743AE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02CCF860 LdrInitializeThunk, 5_2_02CCF860
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02310BDA mov eax, dword ptr fs:[00000030h] 5_2_02310BDA
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231061A mov edx, dword ptr fs:[00000030h] 5_2_0231061A
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02311229 mov eax, dword ptr fs:[00000030h] 5_2_02311229
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_0231122A mov eax, dword ptr fs:[00000030h] 5_2_0231122A
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Code function: 5_2_02310F8A mov eax, dword ptr fs:[00000030h] 5_2_02310F8A
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: setup.exe String found in binary or memory: p3ar11fter.sbs
Source: setup.exe String found in binary or memory: 3xp3cts1aim.sbs
Source: setup.exe String found in binary or memory: processhol.sbs
Source: setup.exe String found in binary or memory: w0rdergen1.cyou
Source: setup.exe String found in binary or memory: peepburry828.sbs
Source: setup.exe String found in binary or memory: p10tgrace.sbs
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\Extracted1\setup.exe "C:\Users\user\AppData\Roaming\Extracted1\setup.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Extracted1\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 00000005.00000002.2785261355.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561458 Sample: psol.txt.ps1 Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 26 w0rdergen1.cyou 2->26 28 steamcommunity.com 2->28 30 10 other IPs or domains 2->30 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 8 other signatures 2->44 7 powershell.exe 14 283 2->7         started        signatures3 process4 dnsIp5 32 pub-7a0525921ff54f1193db83d7303c6ee8.r2.dev 172.66.0.235, 443, 49704 CLOUDFLARENETUS United States 7->32 18 C:\Users\user\AppData\Roaming\...\setup.exe, PE32 7->18 dropped 20 C:\Users\user\AppData\Roaming\...\rtl120.bpl, PE32 7->20 dropped 22 C:\Users\user\AppData\...\libvlccore.dll, PE32 7->22 dropped 24 9 other malicious files 7->24 dropped 46 Powershell drops PE file 7->46 12 setup.exe 7->12         started        16 conhost.exe 7->16         started        file6 signatures7 process8 dnsIp9 34 marshal-zhukov.com 172.67.160.80, 443, 49823, 49829 CLOUDFLARENETUS United States 12->34 36 steamcommunity.com 23.55.153.106, 443, 49817 AKAMAI-ASN1EU United States 12->36 48 Multi AV Scanner detection for dropped file 12->48 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.160.80
 marshal-zhukov.com United States
13335 CLOUDFLARENETUS false
23.55.153.106
 steamcommunity.com United States
20940 AKAMAI-ASN1EU false
172.66.0.235
 pub-7a0525921ff54f1193db83d7303c6ee8.r2.dev United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
pub-7a0525921ff54f1193db83d7303c6ee8.r2.dev 172.66.0.235 true
steamcommunity.com 23.55.153.106 true
marshal-zhukov.com 172.67.160.80 true
w0rdergen1.cyou unknown unknown
librari-night.sbs unknown unknown
owner-vacat10n.sbs unknown unknown
p10tgrace.sbs unknown unknown
befall-sm0ker.sbs unknown unknown
3xp3cts1aim.sbs unknown unknown
p3ar11fter.sbs unknown unknown
peepburry828.sbs unknown unknown
processhol.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
peepburry828.sbs false
    		high
    processhol.sbs false
      		high
      https://steamcommunity.com/profiles/76561199724331900 false
        		high
        https://pub-7a0525921ff54f1193db83d7303c6ee8.r2.dev/poltos.zip false
        • Avira URL Cloud: phishing
        		 unknown